All Domains Exam.
A minimum of 70% is required to pass.
#1. Which of the following are ways to defend against cross-site tracing?
Cross-site tracing is an attack to obtain authentication information by embedding TRACE method HTTP communication in a web page. Suppose the TRACE method is embedded in the login screen by XSS. After the password to log in is sent, it is returned by TRACE and comes back. The password that has just been sent is returned to the browser, leading to a compromise.
#2. We are implementing several new standards and frameworks in our organization. We have decided to do scoping on one of the standards we are implementing. What will that entail?
#3. According to the Kerckhoffs’s principle, which of the following should not leak?
The Kerckhoffs’s principle is the idea that cryptography should be secure even if everything but the private key is known. When encrypting data, one decides on a private key and how to encrypt it using that private key. Kerckhoffs says that even if it is known how it is encrypted, it should not be deciphered as long as the secret key is not discovered. Encryption has been with the history of human warfare. The main purpose is to communicate a strategy to one’s allies without being discovered by the enemy. In battle, its designs and encryption devices may be stolen by spies. Therefore, the encryption must be such that it cannot be solved without the key, no matter how much is known about how it works.
#4. Which of the following is NOT a role of the memory manager?
〇：Run an algorithm that identifies unused committed memory and informs the operating system that memory is available.
This answer describes the function of the garbage collector, not the memory manager. The garbage collector is a countermeasure against memory leaks. It is software that runs an algorithm to identify unused committed memory and tells the operating system to mark that memory as “available. Different types of garbage collectors work with different operating systems, programming languages, and algorithms.
In some cases, a four-choice question can be answered without knowing the exact answer; since there is only one correct answer in a four-choice question, the answers can be grouped together to reduce it to “since they are saying the same thing, it is not right that only one of them is correct, therefore they are both wrong.
There are two answers to the effect of controlling the process to handle memory appropriately, but if the memory manager does not have that functionality, both would be correct, and therefore can be eliminated from the choices in the first place.
×：If processes need to use the same shared memory segment, use complex controls to guarantee integrity and confidentiality.
If processes need to use the same shared memory segment, the memory manager uses complex controls to ensure integrity and confidentiality. This is important to protect memory and the data in it, since two or more processes can share access to the same segment with potentially different access rights. The memory manager also allows many users with different levels of access rights to interact with the same application running on a single memory segment.
×：Restrict processes to interact only with the memory segments allocated to them.
The memory manager is responsible for limiting the interaction of processes to only those memory segments allocated to them. This responsibility falls under the protection category and helps prevent processes from accessing segments to which they are not allowed. Another protection responsibility of the memory manager is to provide access control to memory segments.
×：Swap contents from RAM to hard drive as needed.
This is incorrect because swapping contents from RAM to hard drive as needed is the role of memory managers in the relocation category. When RAM and secondary storage are combined, they become virtual memory. The system uses the hard drive space to extend the RAM memory space. Another relocation responsibility is to provide pointers for applications when instructions and memory segments are moved to another location in main memory.
#5. Which of the following are possible standards used for credit card payments?
PCI DSS (Payment Card Industry Data Security Standard) is a framework to avoid personal information leakage when making electronic payments. Therefore, the correct answer is “PCI DSS.
By the way, if you were to ask, “Which of the following are possible?” I am tempted to argue that other frameworks may be used as well. However, in the CISSP exam, you may have to choose “the most plausible” option in some cases. Therefore, we have used this phrase.
The Health Information Technology for Economic and Clinical Health Act (HITECH) is an enhanced version of HIPPA that applies not only to data management but also to health care business associates.
OCTAVE is one of the risk assessment frameworks introduced in CERT.
COBIT is a framework for measuring the maturity of a company’s IT governance. It was proposed by the Information Systems Control Association of America (ISACA) and the IT Governance Institute (ITGI).
#6. What vulnerability is logically possible for an attacker to guess a URL that he/she does not know?
#7. Which of the following is NOT an appropriate reason to develop and implement a disaster recovery plan?
〇：To create an overview of business functions and systems
Outlining business functions and systems is not a reason to create and execute a disaster recovery plan. While these tasks are likely to be accomplished as a result of the disaster recovery plan, they are not a valid reason to implement the plan compared to other answers to the question. Usually occurring during the planning process, simply outlining business functions and systems is not enough to develop and implement a disaster recovery plan.
×：To create post-disaster recovery procedures
It is not correct to develop and implement a disaster recovery plan because providing post-disaster recovery procedures is a good reason to do so. In fact, this is exactly what a disaster recovery plan provides. The goal of disaster recovery is to take the necessary steps to minimize the impact of a disaster and ensure that resources, personnel, and business processes can resume operations in a timely manner. The goal of a disaster recovery plan is to handle the disaster and its consequences in the immediate aftermath.
×：To back up data and create backup operating procedures
Inappropriate, because not only backing up data but also extending backup operations is a good way to develop and implement a disaster recovery plan. When considering a disaster recovery plan, some companies focus primarily on backing up data and providing redundant hardware. While these items are very important, they are only a small part of a company’s overall operations. Hardware and computers need people to configure and operate them, and data is usually not useful unless it can be accessed by other systems or outside entities. All of these may require backups as well as data.
×：To establish emergency response procedures
This is incorrect because there are good reasons to establish and implement a disaster recovery plan, and providing emergency response procedures is a valid reason. Disaster recovery plans are implemented when everything is in emergency mode and everyone is scrambling to get all critical systems back online. Carefully written procedures will make this entire process much more effective.
Translated with www.DeepL.com/Translator (free version)
#8. An attacker used a brute force attack to break my password. How did you know it was a brute force attack?
#9. Which security architecture model defines how to securely develop access rights between subjects and objects?
The Graham-Denning model addresses how access rights between subjects and objects are defined, developed, and integrated. It defines a basic set of rights in terms of the commands that a particular subject can execute on an object. The model has eight basic protective rights or rules on how to safely perform these types of functions
It is incorrect because its purpose is to provide access control that can be changed dynamically according to the user’s previous actions. The main purpose is to protect against conflicts of interest due to user access attempts. For example, if a large marketing firm provides marketing promotions and materials for two banks, the employee responsible for the Bank A project should not be able to see information about Bank B, the marketing firm’s other bank customer. A conflict of interest could arise because the banks are competitors. If the project manager of the marketing firm’s Project A can see information about Bank B’s new marketing campaign, he may attempt to execute it rather than promote it to please more direct customers. Marketing firms have a bad reputation when internal employees can act irresponsibly.
The Clark-Wilson model is incorrect because it is implemented to protect data integrity and ensure that transactions are properly formatted within the application. Subjects can only access objects through authorized programs. Segregation of duties is enforced. Auditing is required. The Clark-Wilson model addresses three integrity goals: preventing changes by unauthorized users, preventing inappropriate changes by unauthorized users, and maintaining internal and external consistency.
This model was developed to address concerns about the security of U.S. military systems and the leakage of classified information, and is incorrect. The primary goal of the model is to prevent unauthorized access to classified information. It is a state machine model that enforces the confidentiality aspect of access control. Matrices and security levels are used to determine if a subject has access to different objects. Specific rules are applied to control how objects interact with each other compared to the subject’s object classification.
#10. You want to make it clear to developers that application processing and session processing are separate. Which network model should they follow?
〇：OSI reference model
The OSI reference model is a seven-layer classification of network communication. The concepts of application communication and session are separated, which would be clearly communicated based on the OSI reference model. Therefore, the correct answer is “OSI reference model.
The TCP/IP model is a layer design that is closer to the concept of a system than the OSI reference model; in the TCP/IP model, the application layer, presentation layer, and session layer of the OSI reference model are represented by a single application layer.
×：Data link model
There is no such model.
Biba model is one of the security models that indicates that data cannot be changed without permission.
#11. When submitting a security report to management, which of the following elements is most important?
〇：A Comprehensive Executive Summary
No matter how technically comprehensive a report to management may be, it is not always desirable to be too informative; IT security professionals must understand that the risk to the enterprise from a data breach is only one of many concerns that senior management must understand and prioritize. C-level executives must be attentive to many risks and may have difficulty properly categorizing the often unfamiliar, highly technical threats. In short, the IT security professional’s primary job is to summarize the risks in as short a time as possible in a way that suits the management.
×：List of Threats, Vulnerabilities, and Likelihood of Occurrence
This is incorrect because it is not the most important element to report to management. Such a list is essential to a comprehensive security report, but providing it to senior management is unlikely to result in effective action without a skillful executive summary.
×：A comprehensive list of the probability and impact of expected adverse events
This is incorrect because it is not the most important element of the report to management. Such lists are important in technical reports, but summaries are critical to achieving risk mitigation goals.
×：A comprehensive list of threats, vulnerabilities, and likelihood of occurrence, a comprehensive list of the probability and impact of expected adverse events, and a written summary thereof to meet technical comprehensiveness
incorrect because it describes the most common and significant obstacles to reporting to management.
#12. An IT security team at a small healthcare organization wants to focus on maintaining IDS, firewalls, enterprise-wide anti-malware solutions, data leak prevention technology, and centralized log management. Which of the following types of solutions implement standardized and streamlined security features?
〇：Unified Threat Management
Unified Threat Management (UTM) appliance products have been developed to provide firewall, malware, spam, IDS / IPS, content filtering, data leak prevention, VPN capabilities, and continuous monitoring and reporting in computer networks.
Since this question asks for a definition of Unified Threat Management that is unfamiliar or not even mentioned in the course material, it is inefficient to buy and study a new book just to get this score. To avoid ending up with “I don’t know = I can’t solve it,” be sure to develop the habit of choosing a “better answer.
If you think in terms of the classification Concepts/Standards > Solutions/Implementation Methods, ISCM (NIST SP800-137) and centralized access control systems are the former, while Unified Threat Management and cloud-based security solutions are the latter. Therefore, it is still better to bet on unified threat management and cloud-based security solutions.
×：ISCM (NIST SP800-137)
Because continuous monitoring in the security industry is most commonly Information Security Continuous Monitoring ISCM (NIST SP800-137), which enables companies to gain situational awareness, continuous awareness of information security, vulnerabilities, and threats to support business risk management decisions , is incorrect.
×：Centralized Access Control System
Wrong because a centralized access control system does not attempt to combine all of the security products and capabilities mentioned in the issue. A centralized access control system is used so that its access control can be enforced in a standardized manner across different systems in a network environment.
×：Cloud-based security solutions
Cloud-based security solutions include security managed services that allow an outsourced company to manage and maintain a company’s security devices and solutions, but this is not considered a cloud-based solution. The cloud-based solution provides the infrastructure environment, platform, or application to the customer so that the customer does not have to spend time and money maintaining these items themselves.
#13. Which of the following plans is intended to establish a senior management or post-disaster headquarters?
〇：Continuity of Operations Plan
A continuity of operations plan (COOP) establishes senior management and post-disaster headquarters. It also outlines roles and authorities and individual role tasks.Creating a COOP begins with an assessment of how the organization operates to identify mission-critical staff, resources, procedures, and equipment. Suppliers, partners, and contractors identify other companies with whom they routinely interact and create a list of these companies. Therefore, the correct answer is the Continuity of Operations Plan.
×：Cyber Incident Response Plan
Cyber Incident Recovery is a plan for recovery from a cyber attack.
×：Crew Emergency Plan
A Crew Emergency Plan is a plan for the smooth transition of a facility’s staff to a secure environment.
×：IT Contingency Plan
A contingency plan is a plan that outlines the measures to be taken in the event of an accident, disaster, or other emergency.
#14. Which of the following incorrectly describes a directory service?
〇：Conforms to the X.509 standard and assigns a namespace to each object accessed in the database by LDAP.
Most companies have directories that contain information about company network resources and users. Most directories use a hierarchical database format based on the X.500 standard (not X.509) and a type of protocol such as LDAP (Lightweight Directory Access Protocol) that allows subjects and applications to interact with the directory The application can then use LDAP to access the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a particular resource using a similar request. The directory service assigns an Distinguished Name (DN) to each object in the database based on the X.500 standard to be accessed. Each distinguished name represents a set of attributes about a particular object and is stored as an entry in the directory.
×：Namespaces are used to manage objects in the directory.
This is incorrect because objects in a hierarchical database are managed by a directory service. Directory services allow administrators to configure and manage identification, authentication, permissions, and access control for the network. Objects in the directory are labeled and identified by namespace, which is how the directory service keeps objects organized.
×：Enforce security policies by performing access control and identity management functions.
This is incorrect because directory services enforce the security policy set by performing access control and identity management functions. For example, when a user logs into a domain controller in a Windows environment, the directory service (Active Directory) determines which network resources are accessible and which are not.
×：Administrators can configure and manage how identification takes place within the network.
Directory service is incorrect because it allows the administrator to configure and manage identification within the network. It also allows for the configuration and management of authentication, authorization, and access control.
#15. Which of the following is NOT a factor in determining the sensitivity of data confidentiality?
〇：How to use the data
How data is used does not depend on how sensitive it is. In other words, data is sensitive no matter how it is used, even if it is not used at all.
×：Identifying who needs access to the data
Wrong. This is because data classification criteria must take into account very directly who needs access to the data and their clearance level in order to see sensitive data. If data is classified at too high a level, that user will not have access. If the level is classified too low, an unauthorized user may access the data.
×：Value of the data
This is incorrect because the intrinsic value of the data directly determines the degree of protection. This is determined by its classification. This is true regardless of whether the prioritization must be confidentiality, integrity, or availability.
×：The level of damage that could occur if the data were disclosed.
This is erroneous because the degree of damage that disclosure, modification, or destruction of the data would cause is directly related to the level of protection that must be provided.
#16. When attackers set up war dialing, what do they try to do?
War Dialing is the indiscriminate and repeated act of cracking dial-ups in search of dial-up lines, such as those for non-public internal networks. It automatically scans a list of telephone numbers, usually dialing all numbers in the local area code, and searches modems, computers, bulletin board systems, and fax machines.
#17. Encryption provides different security depending on the procedure and & algorithm. Which of the following provides authentication, non-repudiation, and integrity?
A digital signature is a hash value encrypted with the sender’s private key. The act of signing means encrypting a hash value of a message with a private key. A message can be digitally signed, providing authentication, non-repudiation, and integrity. The hash function guarantees the integrity of the message, and the signature of the hash value provides authentication and non-repudiation.
Encryption algorithms are wrong because they provide confidentiality. Encryption is most commonly performed using symmetric algorithms. Symmetric algorithms can provide authentication, non-repudiation, and integrity as well as confidentiality.
Hash algorithms are wrong because they provide data integrity. Hash algorithms generate a message digest, which detects whether modifications have been made (also called a hash value). The sender and receiver individually generate their own digests, and the receiver compares these values. If they differ, the receiver can know the message has been modified. Hash algorithms cannot provide authentication or non-repudiation.
×：Encryption paired with digital signatures
This is incorrect because encryption and digital signatures provide confidentiality, authentication, non-repudiation, and integrity. Encryption alone provides confidentiality. And digital signatures provide authentication, non-repudiation, and integrity. The question requires that it can provide authentication, non-repudiation, and integrity. It is a nasty question.
#18. Which of the following comes closest to defining a virtual machine?
#19. Which functional table was the table based primarily on?
The functionality table identifies the access rights that a particular subject owns with respect to a particular object. Each subject is mapped for a function (capability) such as read or write perform. Therefore, the subject is the one that seems to fit in the choices.
Incorrect because the Object is bound to an Access Control List (ACL), not a functional component.
Product is incorrect because it is just an example to implement a subject, object, or feature table.
Application is incorrect because it is just a concrete example of an object.
#20. Which of the following is at the top of the security documentation?
A security document documents the security to be achieved.” To achieve “strong security” a clear definition is needed. Since the definition varies from organization to organization, it is necessary to put it in writing. There are five documents, with policy at the top, each of which is mandatory or optional.
#21. It is not uncommon for business continuity plans to become outdated. What should you do to ensure that your plan does not become outdated?
〇：Business Continuity Processes Integrate Change Management Processes
Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.
×：Update hardware, software, and application changes
Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.
×：Infrastructure and Environment Change Updates
Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.
Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.
#22. When penetration testers are doing black box testing, how much do they know about the target?
〇：The attacker knows nothing about the organization other than the information that is publicly available.
In black box testing (zero-knowledge), the attacker has no knowledge about the organization other than the publicly available information. The focus is on what the external attacker does. Therefore, the correct answer is “knows nothing about the organization other than the information that is publicly available.” The result will be
×：I know everything.
White box testing is testing to verify the operation of a program, which is done after knowing what is in the program.
×：I keep the product manual and retain privileged access.
A gray box test is a test that is performed by a pen tester to some extent, with the attacker having only limited knowledge of the program.
This is a white box test or gray box test.
×：The vendor retains an accessible level of information.
In a black box test, the attacker has no information in principle.
#23. What is remote journaling as part of a fault tolerance strategy?
Remote journaling means that a transaction log file, not the file itself, is sent remotely. A transaction is one or more update operations performed on a file. In other words, it is a history of updates to a file. This means that if the original file is lost, it can be reconstructed from the transaction log.
#24. Different levels of RAID determine the type of activity that occurs within a RAID system. Which level of RAID is associated with byte-level parity?
〇：RAID Level 3
RAID redundant arrays provide fault tolerance capability for hard drives and can improve system performance. Redundancy and speed are provided by splitting data and writing it to multiple disks, allowing different disk heads to operate simultaneously to retrieve requested information. At this time, recovery data is also created. This is called parity; if one disk fails, the parity data can be used to reconstruct the corrupted or lost information. Different levels of RAID systems experience different activities that provide fault tolerance or improved performance. RAID level 3 is a method that uses byte-level striping and dedicated parity disks.
×：RAID Level 0
Wrong because only striping occurs at level 0.
×：RAID Level 5
RAID 5 is incorrect because it uses block-level striping and interleaved parity on all disks.
×：RAID Level 10
Level 10 is incorrect because it is associated with striping and mirroring.
#25. Which of the following is not an official risk methodology created for the purpose of analyzing security risks?
〇：AS / NZS 4360
AS / NZS 4360 can be used for security risk analysis, but it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methods, such as NIST or OCTAVE, which focus on IT threats and information security risks. AS / NZS 4360 can be used to understand a firm’s financial, capital, personnel safety, and business decision-making risks.
Incorrect as there is no formal FAP risk analysis methodology.
Image B is incorrect because it focuses on IT threats and information security risks. OCTAVE is intended for use in situations that manage and direct information security risk assessments within an organization. Employees of an organization are empowered to determine the best way to assess security.
×：NIST SP 800-30
Wrong because it is specific to IT threats and how they relate to information threats. Focus is primarily on systems. Data is collected from network and security practices assessments and from people within the organization. Data is used as input values for the risk analysis steps outlined in the 800-30 document.
#26. What type of disaster is an earthquake classified as?
#27. Which network line should be used to ensure that traffic always uses the same path?
#28. Which microprocessor technology has also been linked to facilitating certain attacks?
〇：Increased Processing Power
The increased processing power of personal computers and servers has increased the probability of successful brute force and cracking attacks against security mechanisms that were not feasible a few years ago. Today’s processors can execute an incredible number of instructions per second. These instructions can be used to break passwords, encryption keys, or direct malicious packets to be sent to the victim’s system.
×：Increased circuitry, cache memory, and multiprogramming
This is incorrect because an increase does not make a particular type of attack more powerful. Multiprogramming means loading multiple programs or processes into memory at the same time. It allows antivirus software, word processors, firewalls, and e-mail clients to run simultaneously. Cache memory is a type of memory used for fast write and read operations. If the system expects that the program logic will need to access certain information many times during processing, the information is stored in cache memory for easy and quick access.
The answer is not specific and does not measure conformance to the problem. When examining microprocessor advances, there is no actual dual-mode calculation.
×：Direct Memory Access I/O
Incorrect because this method transfers instructions and data between I/O (input/output) devices and the system’s memory without using the CPU. Direct Memory Access I/O significantly increases data transfer speed.
#29. Robert is responsible for implementing a common architecture for accessing sensitive information over an Internet connection. Which of the following best describes this type of architecture?
The 3-tier architecture clearly distinguishes the three layers: the client has the user interface responsible for input and displaying results, and the server has the functional process logic responsible for data processing and data storage for accessing the database. The user interface role is generally handled by the front-end web server with which the user interacts. It can handle both static and cached dynamic content. The functional process logic is where requests are reformatted and processed. It is typically a dynamic content processing and generation level application server. Data storage is where sensitive data is held. It is the back-end database and holds both the data and the database management system software used to manage and provide access to the data.
Two-tier, or client/server, is incorrect because it describes an architecture in which a server serves one or more clients that request those services.
A screen-subnet architecture is for one firewall to protect one server (basically a one-tier architecture). The external, public-side firewall monitors requests from untrusted networks like the Internet. If one layer, the only firewall, is compromised, an attacker can access sensitive data residing on the server with relative ease.
×：Public and Private DNS Zones
Separating DNS servers into public and private servers provides protection, but this is not the actual architecture.
#30. Which project management methodology is based on each phase leading to the next phase and not returning to the previous phase?
Waterfall is very unidirectional and each phase leads directly to the next phase. In a pure waterfall model, there is no way to return to the previous phase.
Agile is the idea that system development should be done flexibly. It is a trial-and-error development method that emphasizes adaptive planning, evolutionary development, early delivery, and continuous improvement. Agile differs from the traditional approach of modeling a process, where principles and claims are shared by the entire team and an attempt is made to adapt to every situation.
The SASHIMI model is a model of the system development process that allows the end and beginning points of each phase to run concurrently. In many cases, a waterfall model is used, where the next phase is moved to the next phase with the submission and review of deliverables. This is also great, but in practice, there are times when the delivery is made but modified due to changing requirements.
The spiral model is a method of development that iterates from design to testing for each function. It is a method in which a series of processes consisting of planning, analysis, design, implementation, testing, and evaluation are repeated many times within a single project to gradually increase the degree of completion. In a software project, these phases are repeated.
#31. Software-defined network (SDN) technology specifies which of the following?
〇：How routers are centrally managed and control packets based on the controller’s instructions
Software-defined networks (SDN) are intended to facilitate centralized management of routing decisions and to separate the router’s logical functions of passing data between the routing decision and the interface and making its mechanical functions.SDN architecture is a scalable, a programmable, and is intended to be a standard method of providing router control logic. Therefore, the correct answer is “a way for routers to be centrally managed and control packets based on the controller’s instructions.
×：Mapping between MAC and IP addresses.
×：Updating the routing table in a dynamic way.
Explanation of dynamic routing.
×：A method in which routers communicate with each other to update the routing table when an event occurs.
This is an explanation of routing control in case of communication failure.
#32. You have been instructed to report to the Board of Directors with a vendor-neutral enterprise architecture framework that will help reduce fragmentation due to inconsistencies between IT and business processes. Which of the following frameworks should you propose?
The Open Group Architecture Framework (TOGAF) is a vendor-independent platform for the development and implementation of enterprise architecture. It focuses on the effective management of enterprise data using metamodels and service-oriented architectures (SOA). Proficient implementations of TOGAF aim to reduce fragmentation caused by inconsistencies between traditional IT systems and actual business processes. It also coordinates new changes and functionality so that new changes can be easily integrated into the enterprise platform.
×：Department of Defense Architecture Framework (DoDAF)
In accordance with the guidelines for the organization of the enterprise architecture of the U.S. Department of Defense systems, this is incorrect. It is also suitable for large, complex integrated systems in the military, civilian, and public sectors.
×：Capability Maturity Model Integration (CMMI) during software development.
It is inappropriate because it is a framework for the purpose of designing and further improving software. CMMI provides a standard for software development processes that can measure the maturity of the development process.
Incorrect because it consists of recommended practices to simplify the design and conception of software-intensive system architectures. This standard provides a kind of language (terminology) to describe the different components of software architecture and how to integrate it into the development life cycle.
#33. Brad wants to ban the use of instant messaging (IM) on corporate networks. Which of the following should NOT be included in his presentation?
〇：The use of IM can be stopped by simply blocking certain ports on the network firewall.
Instant messaging (IM) allows people to communicate with each other via real-time and personal chat room types. These technologies will have the ability to transfer files. Users install an IM client and are assigned a unique identifier; they provide this unique identifier to anyone they wish to communicate with via IM. ineffective.
Another way to answer the question is to say that the question itself confirms our understanding of security, and then we can lay down the assumption that “should not be included in the presentation” means that we should not say anything that will later be held liable. There will be far more events that indicate that there is a possibility than events that say there is no possibility at all.
×：Sensitive data and files can be transferred from system to system via IM.
This is incorrect because in addition to text messages, instant messaging allows files to be transferred from system to system. These files could contain sensitive information, putting the company at business or legal risk. And sharing files via IM will use that much network bandwidth and impact network performance.
×：Users can be subjected to attacks posing as legitimate senders from malware containing information.
Incorrect because it is true. Due to lack of strong authentication, accounts can be falsified because there is to accept information from malicious users of the legitimate sender, not the receiver. There will also be numerous buffer overflows and malformed packet attacks that have been successful with different IM clients.
×：A security policy is needed specifying IM usage limits.
This is incorrect because his presentation should include the need for a security policy specifying IM usage restrictions. This is only one of several best practices to protect the environment from IM-related security breaches. Other best practices include upgrading IM software to a more secure version that configures the firewall to block IM traffic, implementing a corporate IM server so that only internal employees communicate within the organization’s network, and implementing an integrated Includes implementing an antivirus/firewall product.
#34. Which of the following is true regarding security audits, vulnerability assessments, and penetration testing?
〇：Vulnerability assessments can help prioritize weaknesses that need to be addressed.
The most important aspect of an internal or third-party vulnerability assessment is that it can enumerate all potential vulnerabilities a company has and prioritize corrective actions.
×：Third-party security audits are only required if regulations require it.
Even if some organizations do not require an independent review, it can often help find minor weaknesses that might have been overlooked.
×：Vulnerability assessments and penetration tests are essentially the same.
A vulnerability assessment is wrong because it enumerates all weaknesses and ensures that countermeasures are properly prioritized. Penetration testing aims to examine the likelihood that a real-world attacker will exploit a given weakness to achieve a goal.
×：Internal assessments are of little value.
Internal audits of enterprise security are usually not sufficient and can be very beneficial when conducted in conjunction with third-party reviews. However, it can often help find minor weaknesses that may have been overlooked.
#35. Previously, access was controlled by source IP address, but the behavior of a series of communications indicates that it must be detected. Which firewall is designed to respond to this attack?
Stateful Inspection detects abnormal communication in which the request and response are linked and only the response is returned from a different server. Therefore, the correct answer is “Stateful Inspection.
Commonly referred to as WAF, this is used when filtering is performed based on strings in telegrams, such as SQL injection.
Used for filtering by IP address or port.
There is no such firewall category.
#36. Server cluster configurations are taken for critical applications, but what functions are achieved by this configuration?
Clustering is designed for fault tolerance. It is often combined with load balancing, but they are essentially separate. Clustering can make an operation active/active. On top of that, the load balancing feature handles traffic from multiple servers. Active/passive, on the other hand, has a designated primary active server and a secondary passive server, with the passive sending keep-alives or heartbeats every few seconds.
#37. Which of the following is not an ethical item in the IAB (Internet Activities Board) Ethics for the Proper Use of Internet Resources?
This is a “non-ethics item” question.
A statement is made by the Internet Activities Board (IAB) to those who use the Internet about the correct use of Internet resources.
- Attempting to obtain unauthorized access to Internet resources.
- Disrupting the intended use of the Internet.
- Wasting resources (people, capabilities, and computers) through such activities.
- Destroying the integrity of computer-based information.
- Violating the privacy of users.
#38. What is called taking reasonable action to prevent a security breach?
Confidentiality means that the company does everything it could reasonably have done to prevent a security breach under the circumstances and takes appropriate control and action in the event of a security breach. In short, it means that the company is acting responsibly by practicing common sense and prudent management. If a company has a facility that is not fire-immune, its arsonist will be only a small part of this tragedy. The company is responsible for providing fire-resistant building materials, alarms, exits, fire extinguishers, and backup fire detection and suppression systems, all critical information specific areas that could be affected by a fire. If a fire were to burn the company’s building and all records (customer data, inventory records, and information needed to rebuild the business) were to disappear, the company would not take precautions to ensure that it is protected against that loss. For example, it would be possible to back up to an off-site location. In this case, employees, shareholders, customers, and anyone else affected could potentially sue the company. However, if the company has done all that is expected of it in terms of the points mentioned so far, it is difficult to sue without success if proper care (dee care) is not taken.
Is wrong because one firm’s activities (or lack thereof) may have a negative impact on other firms. If either company fails to provide the required level of protection and its negligence affects the partners with whom it cooperates, the affected company can sue the upstream company. For example, suppose Company A and Company B have built an extranet. Company A has not implemented controls to detect and address viruses. Company A is infected with a harmful virus, which infects Company B through the extranet. The virus destroys critical data and causes a major disruption to Company B’s production. Company B can therefore sue Company A for negligence. This is an example of downstream liability.
Incorrect, as it generally refers to the obligation and expected behavior or actions of a particular party. Obligations can have a defined set of specific actions required, which is a more general and open approach that allows parties to determine how to fulfill specific obligations.
A better answer to this question. Liability is not considered a legal term as with the other answers. Due diligence is because the firm has properly investigated all of its possible weaknesses and vulnerabilities. Before you can understand how to properly protect yourself, you need to know that you are protecting yourself. To understand the real level of risk, investigate and assess the real level of vulnerability. Even after these steps and assessments have been made, effective controls and protective measures can be identified and implemented. Due diligence means identifying all potential risks, but an appropriate response is one that actually mitigates the risk.
#39. I am looking to mitigate injection attacks on my web server. What advice should I give?
Injection attacks are cracking attacks in which special strings are embedded in user forms and submitted to malfunction the receiving user’s information processing. Sufficiently strong input validation and data type restrictions on input fields, input length limits, and modifications are to do it. Only allow users to enter appropriate data into fields. Limit the number of characters a user can use, and possibly restrict by character type, allowing only letters in names, numbers in phone numbers, and displaying country and state drop-downs.
#40. Which of the following plans would you use to organize information about specific system hardware?
Disaster Recovery Planning (DRP) is the process of creating short-term plans, policies, procedures, and tools to enable the recovery or continuation of critical IT systems in the event of a disaster. It focuses on the IT systems that support critical business functions and how they will be restored after a disaster. For example, it considers what to do if you suffer a distributed denial of service (DDOS) attack, if your servers are compromised, if there is a power outage, etc. BCP is more focused on what should happen and does not necessarily include system requirements.
#41. We are implementing a new network infrastructure for our organization. The new infrastructure uses carrier sense multiple access with collision detection (CSMA / CD). What are you trying to implement?
Carrier Sense Multiple Access Collision Detection (CSMA / CD) is used for systems that can transmit and receive simultaneously, such as Ethernet. If two clients listen at the same time and make sure the line is clear, both may transmit at the same time, causing a collision. Collision Detection (CD) is added to solve this scenario. The client checks to see if the line is idle and transmits if it is idle. If in use, they wait for a random time (milliseconds). During transmission, they monitor the network and if more input is received than transmitted, another client is also transmitting and sends a jam signal instructing other nodes to stop transmitting, wait a random time and then start transmitting again.
#42. Which of the following is the most appropriate relationship between SSL and TLS?
〇：TLS is an open community version of SSL.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols used to protect communications by encrypting segments of a network connection. SSL is a proprietary protocol and TLS was developed by a standards body, making it an open community protocol.
×：TLS is an open community version of SSL. SSL is a proprietary protocol and TLS was developed by a standards body, making it an open community protocol. x: The SSL protocol can be modified by developers to extend its capabilities.
This is incorrect because SSL is a proprietary protocol developed by Netscape. This means that the technical community cannot easily interoperate and extend SSL to extend to its functionality.
×：SSL is an open community protocol while TLS is a proprietary protocol.
The meaning and matching are reversed.
×：SSL is an extended version and backward compatible with TLS.
Wrong, since TLS is actually more extensible than SSL and is not backward compatible with SSL.
#43. Which of the following cannot be done by simply assigning a data classification level?
〇：Extraction of data from the database
In data classification, the data classification is used to specify which users have access to read and write data stored in the database, but it does not involve the extraction of data from the database. Therefore, the correct answer is “extraction of data from the database.
What is this? This is a question that you may think “What is this?” but you need to calmly analyze the classification of data and the manipulation of data. The more time you spend, the more tempted you are to give a difficult answer, but keeping calm is important in solving abstract problems.
×：Grouping hierarchically classified information
This is the primary activity of data classification.
×：Ensuring that non-confidential data is not unnecessarily protected
It is written in a complicated way, but it says that what does not need to be protected does not need the ability to be protected either.
×：Understanding the impact of data leakage
Although not directly, we may check the impact of a data breach in order to understand its importance in classifying data. Ka.
#44. Which method is most appropriate when making a final decision on whether or not a particular security control measure should be implemented?
To require that controls be put in place to reduce risk within acceptable limits, measures need to be selected that are identified as realistic, sufficiently likely, and sufficiently impactful. Simply analyzing the costs and benefits of possible measures will help determine what measures should be taken.
This is incorrect because risk determination is only the first step in identifying what may be needed to control risk within acceptable thresholds.
Wrong because ALE informs the firm of what it could lose if a particular threat becomes real. The value of the ALE goes into the cost-benefit analysis, but the ALE does not address the costs of the countermeasure and the benefits of the countermeasure.
×：Identifying vulnerabilities and threats that pose a risk
This is incorrect because although the vulnerability and threat assessments make the need for countermeasures known, the assessments alone do not determine what the cost-effectiveness of the competing countermeasures is expected to be.
#45. If you have little or no computer experience, but you have unauthorized access, what methods do you think the perpetrator is using? Which of the following comes closest?
〇：Shoulder Surfing Attacks
Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.
A dictionary attack is an unauthorized login that targets users who use words as passwords.
A side-channel attack is an attack that eavesdrops on system data from physical information.
A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.
#46. What historical events led to the enactment of the USA PATRIOT Act?
#47. A backup file stored on a physical disk is being transported by truck to a data center at a different location. What is the status of the data in this backup file?
Stored data is data that is stored on a disk or other media. Transmitted data is data flowing over a network. Used data is data that is in memory, cache, etc. and in use. Just because it is being transported by truck does not make it data that is being transferred. Therefore, “stored data” is the correct answer.
#48. Fred is told that he needs to test components of a new content management application under development to validate data structures, logic, and boundary conditions. What tests should he perform?
Unit testing involves testing individual components in a controlled environment to verify data structures, logic, and boundary conditions. After the programmer develops a component, it is tested with several different input values and in a variety of situations. Unit testing can begin early in the development process and usually continues throughout the development phase. One of the benefits of unit testing is that it identifies problems early in the development cycle. It is easier and less expensive to make changes to individual units.
This is incorrect because acceptance testing is done to verify that the code meets the customer’s requirements. This test is applied to some or all of the application, but usually not individual components.
Regression testing is incorrect because it implies retesting a system after changes have been made to ensure its functionality, performance, and protection. Essentially, regression testing is done to identify bugs where functionality no longer works as intended as a result of a program change. It is not uncommon for developers to fix one problem, accidentally create a new problem, or fix a new problem and solve an old one. Regression testing involves checking for previously fixed bugs to ensure that they have not reappeared and re-running previous tests.
Integration testing is incorrect because it verifies that components work together as outlined in the design specification. After unit testing, individual components or units are tested in combination to verify that they meet functional, performance, and reliability requirements.
#49. What is the difference between freeware and shareware?
Freeware is free software and can be used for free. Shareware is fully functional proprietary software that is initially free to use. Often a trial to test the software requires a fee to continue using it after 30 days. Thus, the correct answer is, “Freeware is free in perpetuity, while shareware is free for a set period of time.” will be.
#50. John provides a weekly report to the manager outlining security incidents and mitigation procedures. If there is no incident information to put on the report, what action should he take?
〇：Send a report labeled “No output”.
If there is nothing to report (nothing to report), you need to make sure the manager is aware that the report has no information and is not only to be held accountable.
×：Send an email notifying the manager that there is nothing to report.
It is not appropriate to suddenly keep a record of the report by e-mail, since the report is normally scheduled to be reported in the operation. Realistically, wouldn’t you be more endearing to your manager if you communicated with him or her every step of the way? No, I am not asking you to do that.
×：Re-submit last week’s report and submit the date of last week’s report as this week’s date.
Delivering last week’s report does not express that nothing was reported this week.
You are required to report that nothing happened.
#51. A student is concerned about his future and wants to attack a political institution. What is this middle school student classified as an attacker?
#52. Which of the following is a common association of the Clark-Wilson access model?
In the Clark-Wilson model, subjects cannot access objects without going through some type of application or program that controls how this access is done. The subject (usually the user) can access the required object based on access rules within the application software, defined as “Well-Formed Transaction,” in conjunction with the application.
This is incorrect because it is another name for the Brewer Nash model created to provide access control that can be dynamically modified according to the user’s previous behavior. It is shaped by access attempts and conflicts of interest and does not allow information to flow between subjects and objects. In this model, a subject can only write to an object if the subject cannot read another object in a different data set.
The Clark-Wilson model is incorrect because it uses access triples instead of access tuples. The access triple is the subject program object. This ensures that the subject can only access the object through the authorized program.
×：Write Up and Write Down
The Clark-Wilson model is incorrect because there is no Write Up and Write Down. These rules relate to the Bell-LaPadula and Biba models. The Bell-LaPadula model contains a simple security rule that has not been read and a star property rule that has not been written down. The Biba model contains an unread simple completeness axiom and an unwritten star completeness axiom.
#53. The U.S. National Security Agency (NSA) wanted to incorporate a clipper chip into every motherboard. Which encryption algorithm did this chip use?
#54. Measuring the damage and recovery requirements by different indicators helps quantify the risk. which is correct about the RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
RPO (Recovery Point Objective) is the target value for recovering data at a point in the past when a failure occurs. When a failure occurs, the data currently handled is lost. The lost data must be recovered from backups, but it is important to know how far in the past the backups are from the current point in time.
RTO (Recovery Time Objective) is a target value that defines when the data should be recovered in the event of a failure. In the event of a failure, the service must not be unavailable indefinitely. Failure response procedures and disaster drills must be implemented to establish a target value for the time from the occurrence of a failure to the startup of service.
#55. Access control matrices are used in many operating systems and applications to control access between subjects and objects. What is this type of column called?
Access Control List (ACL) A map value from the Access Control Matrix to an object; ACLs are used in several operating system, application, and router configurations. They are lists of items that are authorized to access a particular object and they define the level of authorization to be granted. Authorization can be specified to an individual or to a group. Therefore, ACLs are bound to an object and indicate which subjects can access it, and feature tables are bound to a subject and indicate which objects the subject can access.
The function table is a row in the access control matrix.
Constraint interfaces are wrong because they limit the user’s access ability by not allowing them to request certain functions or information or have access to certain system resources.
The role-based access control (RBAC) model, called non-discretionary access control, is wrong because it uses a centralized set of controls to determine how subjects and objects interact.
#56. Which option incorrectly describes SOAP and remote procedure calls?
〇：SOAP allows Remote Procedure Calls to be used to exchange information between applications over the Internet.
To allow applications to exchange information over the Internet, the Simple Object Access Protocol (SOAP) was created to be used instead of Remote Procedure Call (RPC). SOAP is an XML-based protocol that encodes messages in a Web service setting. It allows programs running on different operating systems to communicate using Web-based communication methods.
×：SOAP is designed to overcome compatibility and security issues associated with remote procedure calls.
Attempting to allow communication between objects of different applications over the Internet is incorrect because SOAP was created to overcome the compatibility and security issues introduced by RPC. SOAP is designed to work with multiple operating system platforms, browsers, and servers.
×：SOAP and remote procedure calls were created to enable application layer communication.
This is incorrect because both SOAP and RPC were created to enable application layer communication. SOAP is an XML-based protocol that encodes messages in a Web service setting. Therefore, if a Windows client needs to access a Windows server that provides a particular web service, programs on both systems can communicate using SOAP without running into interoperability problems.
×：HTTP is not designed to work with remote procedure calls, but SOAP is designed to work with HTTP.
HTTP is not designed to work with RPC, but SOAP is designed to work with HTTP. SOAP actually defines the structure of the XML schema or communication mechanism. The SOAP XML schema defines how objects communicate directly with each other. One of the advantages of SOAP is that program calls most likely get through firewalls, since HTTP communication is generally allowed. This ensures that the client/server model is not broken by getting denied by firewalls during the communication entity.
#57. There are several calculation methods used to evaluate the value of an asset. Which of the following is NOT used to determine the value of an asset?
〇：Level of insurance required to cover assets.
This question is about choosing what is not used. There are several ways to calculate asset value (AV, Asset Value): the market approach, which refers to similar assets in the market, the income approach, which measures it by the profit it will earn in the future, and the cost approach, which measures it by the cost spent on the asset. The level of insurance needed to cover an asset is a decision made after identifying the asset value and conducting an appropriate risk analysis, allowing the organization to more easily determine the level of insurance coverage to purchase for that asset. Therefore, the correct answer is “level of insurance required to cover the asset”.
×：Value of the asset in the external market.
The technique of referring to similar assets in the market is known as the market approach.
×：Initial costs and outlay for purchasing, licensing, and supporting the asset.
The method of measuring by the cost spent on an asset is known as the cost approach.
×：The value of the asset to the organization’s production operations.
The method of measuring by the profit that will be earned in the future is known as the revenue approach.
#58. Which is the difference between public key cryptography and public key infrastructure?
〇：Public key infrastructure is a mechanism configuration for public key cryptographic distribution, and public key cryptography is another name for asymmetric encryption.
Public key cryptography is asymmetric cryptography. The terms are used interchangeably. Public key cryptography is a concept within the Public Key Infrastructure (PKI), which consists of various parts such as Certificate Authorities, Registration Authorities, certificates, keys, programs, and users. Public Key Infrastructure is used to identify and create users, distribute and maintain certificates, revoke and distribute certificates, maintain encryption keys, and for the purpose of encrypted communication and authentication.
×：Public key infrastructure uses symmetric algorithms and public key cryptography uses asymmetric algorithms.
This is incorrect because the public key infrastructure uses a hybrid system of symmetric and asymmetric key algorithms and methods. Public key cryptography is to use asymmetric algorithms. Therefore, asymmetric and public key cryptography are interchangeable, meaning they are the same. Examples of asymmetric algorithms are RSA, elliptic curve cryptography (ECC), Diffie-Hellman, and El Gamal.
×：Public key infrastructure is used to perform key exchange, while public key cryptography is used to create public/private key pairs.
This is incorrect because public key cryptography is the use of asymmetric algorithms used to create public/private key pairs, perform key exchange, and generate and verify digital signatures.
×：Public key infrastructure provides confidentiality and integrity, while public key cryptography provides authentication and non-repudiation.
Incorrect because the public key infrastructure itself does not provide authentication, non-repudiation, confidentiality, or integrity.
#59. Which is the most correct use of a captive portal?
#60. Which technology optimizes content delivery by determining geographic location based on the client’s IP address for routing that constitutes the proximal topology of Web content?
〇：Content Delivery Network (CDN)
Content delivery networks (CDNs) are designed to optimize the delivery of content to clients based on their global topology. In such a design, multiple web servers hosted at many points of existence on the Internet are globally synchronized and contain the same content, and the client is usually directed to the nearest source via DNS record manipulation based on geolocation algorithms for can be directed to.
×：Distributed Name Service (DNS)
Wrong, as there is no protocol called Distributed Name Service; DNS refers to the Domain Name Service protocol.
×：Distributed Web Service (DWS)
Distributed Web Services is also wrong because it is an incorrect answer. The concept of a distributed Web services discovery architecture is not a formal protocol, although it has been discussed by the IEEE and others.
×：Content Domain Distribution (CDD)
The term Content Domain Distribution (CDD) does not appear in CISSP’s CBK terminology.
#61. We have tested our software and found over 10,000 defects. What should the next step be?
〇：Calculate the potential impact for fatal errors.
Software testing is a must, but when that testing reveals numerous defects, it must be handled with care. Systems do not have the same concept as human forgetfulness, but it is not realistic to ask someone who scored 30 on this week’s test to score 100 on next week’s test.
Before any corrections can be made, the data taken from the test must be analyzed with the test completed, including log reviews. Priority must be given to determining what to implement first and what is acceptable and unacceptable. Think about qualitative risk analysis; if it is unlikely and has little impact, it can be left alone and focus on high priority items. Thus, the correct answer is, “Calculate the likelihood of impact for fatal errors.” will be.
×：Fix them all.
If many defects are found, it is likely that a lot of time will be taken to deal with their correction.
×：Leave them alone because of the huge number.
In principle, it is unacceptable to leave defects unattended.
×：Calculate the potential impact for all errors.
Performing an analysis for all errors can also be very work intensive.
#62. Which of the following is true about the key derivation function (KDF)?
〇：Keys are generated from a master key.
To generate a composite key, a master key is created and a symmetric key (subkey) is generated. The key derivation function generates the encryption key from the secret value. The secret value can be a master key, passphrase, or password. The key derivation function (KDF) generates a key for symmetric key ciphers from a given password.
×：Session keys are generated from each other.
Session keys are generated from each other, not from the master key, which is incorrect.
×：Asymmetric ciphers are used to encrypt symmetric keys.
It is incorrect because key encryption is not even related to the key derivation function (KDF).
×：The master key is generated from the session key.
Reverse, incorrect. Session keys are generally generated from master keys.
#63. Virtual storage combines RAM for system memory and secondary storage. Which of the following is a security concern regarding virtual storage?
〇：Multiple processes are using the same resources.
The system uses hard drive space (called swap space) that is reserved to expand RAM memory space. When the system fills up volatile memory space, data is written from memory to the hard drive. When a program requests access to this data, it is returned from the hard drive to memory in specific units called page frames. Accessing data stored on hard drive pages takes longer than accessing data stored in memory because it requires read/write access to the physical disk. A security issue with using virtual swap space is that two or more processes can use the same resources and corrupt or damage data.
×：Allowing cookies to remain persistent in memory
This is incorrect because virtual storage is not associated with cookies. Virtual storage uses hard drive space to extend RAM memory space. Cookies are small text files used primarily by web browsers. Cookies can contain credentials for web sites, site preferences, and shopping history. Cookies are also commonly used to maintain web server-based sessions.
×：Side-channel attacks are possible.
Side-channel attacks are incorrect because they are physical attacks. This type of attack gathers information about how a mechanism (e.g., smart card or encryption processor) works from abandoned radiation, time spent processing, power consumed to perform a task, etc. Using the information, reverse engineer the mechanism to reveal how it performs its security task. This is not related to virtual storage.
×：Two processes can perform a denial of service attack.
The biggest threat within a system where resources are shared between processes is that one process can adversely affect the resources of another process, since the operating system requires memory to be shared among all resources. This is especially true in the case of memory. It is possible for two processes to work together to perform a denial of service attack, but this is only one of the attacks that can be performed with or without the use of virtual storage.
#64. An attacker is attempting a distributed denial of service (DDoS) attack using UDP floods. How does a distributed denial of service (DDoS) attack work at this time?
#65. Which of the following is an incorrect benefit of virtualization?
〇：Operating system patching is easier.
This is an incorrect choice question. Virtualization does not simplify operating system patching. In fact, it complicates it by adding at least one additional operating system. Each operating system differs from the typical version configuration, adding to the complexity of patching. The server’s own operating system runs as a guest within the host environment. In addition to patching and maintaining the traditional server operating system, the virtualization software itself must be patched and maintained.
For this question, we do not require an understanding of all the technical systems of virtualization. What is required here is a selection of answers based on a process of elimination.
×：I can build a secure computing platform.
Building a secure computing platform may not be a feature of virtualization per se. However, can we build a secure environment? This is not a false choice because it cannot be ruled out.
×：It can provide fault and error containment.
Virtualization can be host independent. In terms of containment, it can be interpreted as being able to provide fault and error containment through independence from physical servers. Therefore, it cannot be denied and is therefore not an incorrect choice.
×：It can provide powerful debugging capabilities.
Virtualization can reproduce a unique environment, not just put up a clean virtual host. Therefore, it is undeniable and therefore out of the wrong choice.
#66. Which word indicates the destination address and the computer service or protocol communication method at the destination?
UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) are transport protocols used by applications to retrieve data over a network. Both use ports to communicate with the upper OSI layer and keep track of the various conversations that occur simultaneously. Ports are also the mechanism used to identify how other computers access services. When a TCP or UDP message is formed, the source and destination ports are included in the header information along with the source and destination IP addresses. This IP address and port number is called a socket; the IP address serves as the gateway to the computer and the port serves as the gateway to the actual protocol or service.
This is incorrect because the IP address does not tell the packet how to communicate with the service or protocol. The purpose of an IP address is to identify and address the location of a host or network interface. Each node in a network has a unique IP address. This information, along with the source and destination ports, make up a socket. The IP address tells the packet where to go, and the port indicates how to communicate with the appropriate service or protocol.
The port is incorrect because it tells the packet only how to communicate with the appropriate service or protocol. It does not tell the packet where it should go. The IP address provides this information. Ports are communication endpoints used by IP protocols such as TCP and UDP. Ports are identified by a number.
Frame is incorrect because the term is used to refer to a datagram after the header and trailer have been given to the data link layer.
#67. Which of the following problems are caused by the hash collision phenomenon?
#68. Which of the following correctly describes the relationship between the reference monitor and the security kernel?
〇：The security kernel implements and executes the reference monitor
The Trusted Computing Base (TCB) is a complete combination of protection mechanisms for a system. These are in the form of hardware, software, and firmware. These same components also comprise the security kernel. Reference monitors are access control concepts implemented and enforced by the security kernel via hardware, software, and firmware. In doing so, it ensures that the security kernel, the subject, has the proper permissions to access the object it is requesting. The subject, be it a program, user, or process, cannot access the requesting file, program, or resource until it is proven that it has the proper access rights.
×：The reference monitor is the core of the Trusted Computing Base (TCP), which is comprised of the security kernel.
This is incorrect because the reference monitor is not the core of the TCB. The core of the TCB is the security kernel, and the security kernel implements the concepts of the reference monitor. The reference monitor is a concept about access control. It is often referred to as an “abstract machine” because it is not a physical component.
×：The reference monitor implements and executes the security kernel.
The reference monitor does not implement and execute the security kernel, which is incorrect. On the contrary, the security kernel implements and executes the reference monitor. The reference monitor is an abstract concept, while the security kernel is a combination of hardware, software, and firmware in a trusted computing base.
×：The security kernel, i.e., the abstract machine, implements the concept of a reference monitor.
This is incorrect because abstract machine is not another name for security kernel. Abstract machine is another name for the reference monitor. This concept ensures that the abstract machine acts as an intermediary between the subject and the object, ensuring that the subject has the necessary rights to access the object it is requesting and protecting the subject from unauthorized access and modification. The security kernel functions to perform these activities.
#69. Audits are needed to maintain security. Among other things, we want to ensure that provisioning is done properly. Which of the following is not provisioning?
〇：Reviewing and evaluating against security documentation.
Provisioning refers to the management of account information. Reviewing documents is not part of provisioning. Therefore, the correct answer is: “Review and evaluate security documentation.” The answer will be
×：When an employee leaves the company, the account should be deactivated as soon as possible.
This is proper provisioning for users and account usage that belong to the organization.
×：Periodic review and adherence to the principle of least privilege.
This is appropriate provisioning for account access privileges.
×：Appropriate deletion of accounts that are no longer needed.
This is appropriate provisioning for the management of minimum account information.
#70. Which of the following events occurs in a PKI environment?
〇：CA signs certificates.
A Certificate Authority (CA) is a trusted agency (or server) that maintains digital certificates. When a certificate is requested, the Registration Authority (RA) verifies the identity of the individual and passes the certificate request to the CA The CA creates the certificate, signs it, and maintains the certificate over its lifetime.
×：RA creates the certificate and CA signs it.
Incorrect because the RA does not create the certificate; the CA creates it and signs it; the RA performs authentication and registration tasks; establishes the RA, verifies the identity of the individual requesting the certificate, initiates the authentication process to the CA on behalf of the end user, and performs certificate life cycle RAs cannot issue certificates, but can act as a broker between the user and the CA When a user needs a new certificate, they make a request to the RA and the RA goes to the CA to verify all necessary identification before granting the request The RA verifies all necessary identification information before granting the request.
×：RA signs certificates.
The RA signs the certificate, which is incorrect because the RA does not sign the certificate; the CA signs the certificate; the RA verifies the user’s identifying information and then sends the certificate request to the CA.
×：The user signs the certificate.
Incorrect because the user has not signed the certificate; in a PKI environment, the user’s certificate is created and signed by the CA. The CA is a trusted third party that generates the user certificate holding its public key.
#71. Which technology can generate time-based one-time passwords?
〇：Time-Based Synchronous Dynamic Token
A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.
×：Counter-Based Synchronous Dynamic Token
If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.
Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.
Wrong because there is no such thing as a mandatory token. This is an incorrect answer.
#72. Which level in the software functional maturity model provides a “repeatable process that yields constant results”?
Level 2 of the software functional maturity model is reproducible. It is a maturity level where some processes are reproducible and produce constant results. The process discipline is not rigorous, but it helps to maintain existing processes. Therefore, the correct answer is Level 2.
At Level 1, the process is usually undocumented and dynamic. It tends to be driven by users and events in an ad hoc, uncontrolled, reactive manner. As a result, the process is chaotic and unstable.
At Level 2, at maturity, some processes are repeatable and will produce consistent results. Process discipline will not be rigid, but where it exists it will help ensure that existing processes are maintained.
At Level 3, a documented set of standard processes has been established and has improved somewhat over time.
At Level 4, the process is being evaluated to ensure that it is achieving its goals. Process users experience the process under multiple and varied conditions to demonstrate competence.
Level 5 focuses on continuous improvement of process performance through incremental and innovative technical changes/improvements.
#73. What is the last step in the process after a penetration test has been properly conducted?
Penetration testing is an attempt to penetrate a system connected to a network. Penetration allows for any kind of manipulation and can bring the service itself to a halt. Therefore, the focus of testing is on penetration. The sequence is: planning, preliminary investigation, search for vulnerabilities, evaluation, attack, and reporting. Therefore, the correct answer is “report generation.
#74. We have a document that has been labeled as confidential information. Some of the text contained information that should be treated as Critical Secret Information above Confidential Information. How should this be handled?
〇：Review labeling and treat as critical confidential information.
Labeling is the process of sorting data according to its level of confidentiality. Labeling helps clarify the confidentiality level of data management. If the labeling is incorrect, it should be corrected at any time to manage the data in accordance with the confidentiality level. Therefore, “Review the labeling and treat it as critical confidential information.” is the correct answer.
×：The entire sentence should be treated as confidential information because the business should be flexible.
This is not an appropriate operation because the text containing critical confidential information is treated as confidential information.
×：As supplemental information to the document, state that “a part of the text contains material confidential information.
This is not a fundamental solution because stating this as supplementary information is in effect treating the information as different confidential levels.
×：Destroy the document because it is impossible for different confidential information to be crossed.
Destroying the document is not an appropriate operation because it is a damage to one’s own assets.
Translated with www.DeepL.com/Translator (free version)
#75. Which of the following is not an acronym for CIA Triad?
Secondary, or persistent XSS vulnerabilities are incorrect because they target websites that populate databases or data stored elsewhere, such as forums or message boards.
Persistent XSS vulnerability is incorrect because it is simply another name for a secondary vulnerability.
A non-persistent XSS vulnerability, called a reflection vulnerability, is incorrect because it uses a malicious script to open a programmed URL in order to steal sensitive information from someone who holds cookies, etc. The principle behind this attack lies in the lack of proper input or output validation on dynamic websites.
#77. DNS is a popular target for attackers on the Internet; which ones use recursive queries to pollute the caches of DNS servers?
The DNS plays a great role in the transmission of traffic on the Internet; it directs traffic to the appropriate IP address corresponding to a given domain name DNS queries can be classified as either recursive or iterative. In a recursive query, the DNS server forwards the query to another server, which returns the appropriate response to the inquirer. In an iterative query, the DNS server responds with the address of another DNS server that may be able to answer the question and then proceeds to further ask for a new DNS server. Attackers use recursive queries to pollute the caches of DNS servers.
The attacker sends a recursive query to the victim’s DNS server asking for the IP address of the domain; the DNS server forwards the query to another DNS server. Before the other DNS server responds, the attacker inserts his IP address. The victim server receives the IP address and stores it in its cache for a specific period of time. The next time the system queries the server for resolution, the server directs the user to the attacker’s IP address.
×：Manipulating the hosts file
Manipulating the hosts file is wrong because it does not use recursive queries to pollute the DNS server cache. The client queries the hosts file before issuing a request to the first DNS server. Some viruses add the antivirus vendor’s invalid IP address to the hosts file to prevent the virus definition file from being downloaded and to prevent detection.
Social engineering is wrong because it does not require querying DNS servers. Social engineering refers to manipulation by an individual for the purpose of gaining unauthorized access or information.
Domain litigation is wrong because it does not involve poisoning the DNS server cache. Domain names are at trademark risk, including temporary unavailability or permanent loss of established domain names.
#78. Which of the following is an incorrect description of IP telephony security?
〇：Softphones are safer than IP phones.
IP softphones should be used with caution. A softphone is a software application that allows users to make calls via computer over the Internet. Replacing dedicated hardware, a softphone works like a traditional telephone. Skype is an example of a softphone application. Compared to hardware-based IP phones, softphones are more receptive to IP networks. However, softphones are no worse than other interactive Internet applications because they do not separate voice traffic from data, as IP phones do, and also because data-centric malware can more easily enter the network through softphones. network.
×：VoIP networks should be protected with the same security controls used on data networks.
The statement is incorrect because it correctly describes the security of an IP telephony network. an IP telephony network uses the same technology as a traditional IP network, which allows it to support voice applications. Therefore, IP telephony networks are susceptible to the same vulnerabilities as traditional IP networks and should be protected accordingly. This means that IP telephony networks should be designed to have adequate security.
×：As an endpoint, IP telephony can be a target of attack.
Incorrect because true: An IP phone on an IP telephony network is equivalent to a workstation on a data network in terms of vulnerability to attack. Thus, IP phones should be protected with many of the same security controls implemented on traditional workstations. For example, the default administrator password must be changed. Unnecessary remote access functions need to be disabled. Logging should be enabled and the firmware upgrade process should be secured.
×：The current Internet architecture in which voice is transmitted is more secure than physical phone lines.
True and therefore incorrect. In most cases, the current Internet architecture in which voice is transmitted is more secure than physical telephone lines. Physical phone lines provide a point-to-point connection, which is difficult to leverage over the software-based tunnels that make up the bulk of the Internet. This is an important factor to consider when protecting IP telephony networks because the network is now transmitting 2 valuable asset data and voice. It is not unusual for personal information, financial information, and other sensitive data to be spoken over the phone; intercepting this information over an IP telephony network is as easy as intercepting regular data. Currently voice traffic should also be encrypted.
#79. Brian has been asked to create a virtual directory for the company’s new identity management system. Which of the following best describes the virtual directory?
〇：Virtual Container for Data from Multiple Sources
Network directories are containers for users and network resources. Because one directory does not contain all the users and resources in an enterprise, a collection of directories must be used. A virtual directory collects the necessary information used from sources scattered throughout the network and stores it in a central virtual directory (virtual container). This provides a unified view of digital identity information for all users across the enterprise. The virtual directory is regularly synchronized with all identity stores (individual network directories) to ensure that up-to-date information is being used by all applications and identity management components in the enterprise.
Virtual directories are similar to metadirectories, but incorrect because metadirectories work with one directory and virtual directories work with multiple data sources. When the Identity Management component calls the virtual directory, it can scan different directories across the enterprise, but the metadirectory only has the ability to scan one directory it is associated with.
×：User attribute information stored in the HR database
Incorrect because it describes an identity store. Much of the information stored in identity management directories is scattered throughout the enterprise. User attribute information (employee status, job description, department, etc.) is typically stored in the HR database. Authentication information can be stored in a Kerberos server, and resource-oriented authentication information can be stored in the domain controller’s Active Directory. These are commonly referred to as identity stores and are located elsewhere on the network. Many identity management products use virtual directories to call up the data in these identity stores.
×：Services that allow administrators to configure and manage the way identities are
This is incorrect because it describes a directory service. Directory services allow administrators to configure and manage how identification, authentication, permissions, and access control are performed within a network. It uses namespaces to manage objects in the directory and enforces security policies configured by performing access control and identity management functions.
#80. The CA is responsible for revoking the required certificates. Which of the following adequately describes CRLs and OCSPs?
〇：OCSP is a protocol developed specifically to check CRLs during the certificate validation process.
A Certificate Authority (CA) is responsible for creating certificates, maintaining and distributing them, and revoking them when necessary. Revocation is handled by the CA and the revoked certificate information is stored in a Certificate Revocation List (CRL). This is a list of all revoked certificates. This list is maintained and updated periodically. A certificate is revoked if the key owner’s private key has been compromised, if the CA has been compromised, or if the certificate is incorrect. If a certificate is revoked for any reason, the CRL is a mechanism for others to inform you of this information. The Online Certificate Status Protocol (OCSP) uses this CRL; when using CRLs, the user’s browser must examine the CRL value to the client to see if the accreditation has been revoked or the CA is constantly checking to make sure they have an updated CRL. If OCSP is implemented, it will do this automatically in the background. It performs real-time verification of the certificate and reports back to the user whether the certificate is valid, invalid, or unknown.
×：CRL was developed as a more efficient approach to OCSP.
CRLs are often incorrect because they are a cumbersome approach; OCSP is used to deal with this tediousness; OCSP does this work in the background when using CRLs; OCSP checks the CRL to see if the certificate has been revoked by Checks.
×：OCSP is a protocol for submitting revoked certificates to CRLs.
OCSP is incorrect because it does not submit revoked certificates to the CRL; the CA is responsible for certificate creation, distribution, and maintenance.
×：CRL provides real-time validation of certificates and reports to OCSP.
Incorrect because CRL does not provide real-time validation of certificates to OCSP.
#81. Which of the following is not a network topology?
#82. One approach to fighting spam mail is to use the Sender Policy Framework, an email validation system. What type of system implements this functionality and receives and responds to requests?
Sender Policy Framework (SPF) is an email verification system that detects email spoofing and prevents spam and malicious email. Attackers typically spoof e-mail addresses to make recipients believe that the messages come from a known and trusted source. SPF allows network administrators to specify which hosts can send mail from a particular domain by implementing SPF records in the Domain Name System (DNS). The e-mail server is configured to check with the DNS server to ensure that e-mail sent from a particular domain was sent from an IP address authorized by the administrator of the sending domain.
#83. Lacy’s manager assigned her to research intrusion detection systems for the new dispatching center. Lacey identifies the top five products and compares their ratings. Which of the following is the most used evaluation criteria framework today for this purpose?
Common Criteria was created in the early 1990s as a way to combine the strengths of both the Trustworthy Computer Systems Evaluation Criteria (TCSEC) and the Information Technology Security Evaluation Criteria (ITSEC) and eliminate their weaknesses. Common Criteria is more flexible than TCSEC and easier than ITSEC. Common Criteria is recognized worldwide and assists consumers by reducing the complexity of assessments and eliminating the need to understand the definitions and meanings of different assessments in different assessment schemes. This also helps manufacturers because they can now build a specific set of requirements when they want to market their products internationally, rather than having to meet several different evaluation criteria under different rules and requirements.
This is incorrect because it is not the most widely used information technology security evaluation standard. ITSEC was the first attempt to establish a single standard for evaluating the security attributes of computer systems and products in many European countries. In addition, ITSEC separates functionality and assurance in its evaluations, giving each a separate rating. It was developed to provide greater flexibility than TCSEC and addresses integrity, availability, and confidentiality in networked systems. The goal of ITSEC was to become the global standard for product evaluation, but it failed to achieve that goal and was replaced by Common Criteria.
Wrong, as it is a U.S. government publication that addresses the topic of security evaluation of networks and network components. Formally titled Trusted Network Interpretation, it provides a framework for protecting different types of networks. Subjects accessing objects on the network must be controlled, monitored, and audited.
Incorrect as this is a U.S. Government publication that addresses government and military requirements and expectations for operating systems. The Orange Book is used to evaluate whether a product is suitable for the security characteristics and specific applications or functions required by the vendor. The Orange Book is used to review the functionality, effectiveness, and assurance of the product under evaluation, using classes designed to address typical patterns of security requirements. It provides a broad framework for building and evaluating trusted systems, with an emphasis on controlling which users have access to the system. We call it the Orange Book, but another name for it is Trusted Computer System Evaluation Criteria (TCSEC).
#84. Jim is a sales representative and the data owner of the sales department. Which of the following is not the responsibility of Jim, the data owner?
〇：Verifying Data Availability
The responsibility for verifying data availability is the sole responsibility that does not belong to the data (information) owner. Rather, it is the responsibility of the data (information) controller. The data controller is also responsible for maintaining and protecting the data in accordance with the data owner’s instructions. This includes performing regular backups of data, restoring data from backup media, maintaining records of activities, and enforcing information security and data protection requirements in company policies, guidelines, and standards. Data owners work at a higher level than data managers. The data owner basically says, “This is the level of integrity, availability, and confidentiality you need to provide. Please do it now”. The data administrator is executing these permissions and following up on the installed controls to ensure they are working properly.
×：Assigning Information Classification
Incorrect as you are asking if Jim is not responsible for the assignment of information classifications because as the data owner, Jim is responsible for the assignment of information classifications.
×：Determining how to protect data
Incorrect because the data owner, such as Jim, is responsible for determining how the information is protected. The data owner has organizational responsibility for data protection and is liable for any negligence with respect to protecting the organization’s information assets. This means that Jim needs to decide how to protect the information and ensure that the data controller (a role usually occupied by IT or security) is implementing these decisions.
×：Determining how long to retain data
This is incorrect because the decision of how long to retain data is the responsibility of the data owner. The data owner is also responsible for determining who can access the information and ensuring that the appropriate access rights are used. He may approve access requests himself or delegate that function to the business unit manager. The business unit manager approves the request based on the user access criteria defined by the data owner.
#85. Insider trading can occur through the unintentional transmission of information. Which of the following access control models is most appropriate to prepare for such an eventuality?
The Chinese Wall Model is a security model that focuses on the flow of information within an organization, such as insider trading. Insider trading occurs when inside information leaks to the outside world. In reality, information can spread to unexpected places as it is passed on orally to unrelated parties. In order to take such information flow into account, access privileges are determined in a simulation-like manner. Therefore, the correct answer is the “Chinese Wall Model (Brewer-Nash Model).
×：Lattice-based Access Control
Lattice-based access control is to assume that a single entity can have multiple access rights and to consider access control as all possible relationships under a certain condition.
The Biba model is a security model that indicates that data cannot be changed without permission.
The Harrison-Ruzzo-Ullman model is a model that aggregates the eight rules of the Graham-Denning model into six rules using an access control matrix.
#86. Which of the following adequately describes parallel testing in disaster recovery testing?
〇：Ensure that some systems are executed at the alternate site.
Parallel testing compares how some systems run at the alternate site and how the results are processed at the primary site. This is to assure that systems run at the alternate site and does not affect service productivity.
×：All departments will be sent a copy of the disaster recovery plan for completeness.
This alternative is incorrect because it describes a checklist test.
×：Representatives from each department meet to validate the plan.
This option is incorrect because it describes a structured walk-through test.
×：The normal operation system is taken down.
This option is incorrect because it describes a full interruption test.
#87. You have developed an application using open source. How should you test it?
〇：Test with reference to OSSTMM.
OSSTMM (Open Source Security Testing Methodology Manual) is an open source penetration testing standard. Open source is basically free and has many amazing features. Because it is free and anyone can use it, there is a view that trust is low. However, there is nothing like it if you properly understand the risks. That is why we are trying to create a testing standard for open source to ensure trust. Therefore, the correct answer is: “Test with reference to OSSTMM.” will be “OSSTMM”.
×：Since open source is fully tested at the point of development, the testing process can be omitted.
Even if it is open source, you need to test it according to your own organization.
×：Secure contact information for the developer and conduct testing with both developers.
If you contact the open source developer, these responses will probably not go through.
Most open source developers are doing this in good faith and may be brazen about further pursuit from the organization.
×：Ask other organizations to share completed tests.
The process of getting test results that may be confidential from other organizations is unreasonable.
#88. A business impact analysis is considered a functional analysis. Which of the following is NOT performed during a Business Impact Analysis?
〇：Parallel testing or full interruption testing
A Business Impact Analysis (BIA) is considered a functional analysis where the team gathers data through interviews and documentation sources. Document business functions, activities, and transactions. Develop a hierarchy of business functions. Finally, a classification scheme is applied that indicates the level of importance of each individual function. Parallel and full interruption tests are not part of the BIA. These tests are performed to ensure the ongoing effectiveness of the business continuity plan to accommodate the constantly changing environment. While full interruption testing involves shutting down the original site and resuming operations and processing at an alternate site, parallel testing is performed to ensure that a particular system will actually function properly at the alternate off-site function.
×：Application of a classification scheme based on criticality levels.
This is incorrect because it is performed during a BIA. This is done by identifying a company’s critical assets and mapping them to characteristics such as maximum allowable downtime, operational disruption and productivity, financial considerations, regulatory liability, and reputation.
×：Gathering information through interviews
This is not correct as it is done during the BIA. The BCP committee does not truly understand all business processes, the steps to be taken, or the resources and supplies those processes require. Therefore, the committee should collect this information from people in the know, which are department heads and specific employees within the organization.
×：Document business functions
This is incorrect because the BCP committee makes this part of the BIA. Business activities and transactions must be documented. This information can come from department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, equipment, or operational activities are most critical.
#89. There are three core rules in the U.S. HIPAA. Which of the following is NOT a core rule?
#90. Sue is charged with implementing several security controls to protect the company’s e-mail system, including antivirus and antispam software. What approach does her company take to address the risks posed by its systems?
Risk can be addressed in four basic ways: transfer, avoidance, mitigation, and acceptance. Sue reduces the risk posed by her e-mail system by implementing security controls such as antivirus and anti-spam software. This is also referred to as risk mitigation, where risk is reduced to a level considered acceptable. Risk can be mitigated by improving procedures, changing the environment, erecting barriers to threats, and implementing early detection techniques to stop threats when they occur and reduce damage.
This is inappropriate because risk acceptance does not involve spending on protection or countermeasures such as anti-virus software. When accepting a risk, one should be aware of the level of risk faced and the potential damage costs and decide to keep it without implementing countermeasures. If the cost/benefit ratio indicates that the cost of countermeasures exceeds the potential losses, many companies will accept the risk.
Wrong because it would mean discontinuing the activity that is causing the risk. In this case, Sue’s firm decides to continue using e-mail. A company may choose to terminate an activity that introduces risk if the risk outweighs the business needs of the activity. For example, a company may choose to block social media websites in some departments because of the risk to employee productivity.
This is incorrect because it involves sharing risk with other entities, as in the purchase of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to firms to protect their assets. If a company determines that its total or excess risk is too high to gamble, it can purchase insurance.
#91. Which of the following is an incorrect mapping of information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)?
〇：ISO / IEC 27005 – Guidelines for Bodies Providing Audits and Certification of Information Security Management Systems
The ISO / IEC 27005 standard is a guideline for information security risk management. ISO / IEC 27005 is an international standard on how risk management should be implemented within the framework of an ISMS.
×：ISO / IEC 27002 – Code of practice for information security management
This is not correct because it is a code of practice for information security management. Therefore, it has the correct mapping. ISO / IEC 27002 provides best practice recommendations and guidelines for starting, implementing, or maintaining an ISMS.
×：ISO / IEC 27003 – ISMS Implementation Guidelines
This is incorrect as it is a guideline for ISMS implementation. Therefore, it has the correct mapping. Focuses on the key aspects necessary for the successful design and implementation of an ISMS according to ISO / IEC 27001:2005. It describes the ISMS specification and design process from its inception to the creation of an implementation plan.
×：ISO / IEC 27004 – Guidelines for Information Security Management Measurement and Metrics Framework
This is incorrect because it is a guideline for an information security management measurement and metrics framework. Therefore, it has the correct mapping. It provides guidance on the development and use of measures to assess the effectiveness of an ISMS and a group of controls or controls, as specified in ISO / IEC 27001.
#92. A company is looking to migrate to an original or new site. Which phase of business continuity planning do you proceed with?
When a firm returns to its original or new site, the firm is ready to enter the reconfiguration phase. The firm has not entered the emergency state until it is operating at the original primary site or until it returns to the new site that was built to replace the primary site. If a firm needs to return from the replacement site to the original site, a number of logistical issues must be considered. Some of these issues include ensuring employee safety, proper communication and connection methods are working, and properly testing the new environment.
The definition of a rebuilding phase needs to be imagined and answered in the question text. It will test your language skills to see how it reads semantically rather than lexically correct.
Incorrect because it involves preparing an off-site facility (if needed), rebuilding networks and systems, and organizing staff to move to the new facility. To get the company up and running as quickly as possible, the recovery process needs to be as structured as possible. Templates should be developed during the planning phase. It can be used by each team during the recovery phase to take the necessary steps and document the results. The template keeps the team on task and quickly communicates to the team leader about progress, obstacles, and potential recovery time.
×：Project Initiation Phase
This is incorrect because it is how the actual business continuity plan is initiated. It does not occur during the execution of the plan. The Project Initiation Phase includes obtaining administrative support, developing the scope of the plan, and securing funding and resources.
×：Damage Assessment Phase
Incorrect because it occurs at the start of the actual implementation of the business continuity procedures. The damage assessment helps determine if the business continuity plan should be implemented based on the activation criteria predefined by the BCP coordinator and team. After the damage assessment, the team will move into recovery mode if one or more of the situations listed in the criteria occur.
#93. We are looking to move to a cloud-based solution to eliminate the increasing cost of maintaining our own server network environment. Which of the following is the correct definition and mapping of a typical cloud-based solution to choose?
〇：The cloud provider is provided a platform as a service that provides a computing platform that may include an operating system, database, and web servers.
Cloud computing is a term used to describe the aggregation of network and server technologies, each virtualized, to provide customers with a specific computing environment that matches their needs. This centralized control provides end users with self-service, broad access across multiple devices, resource pooling, rapid elasticity, and service monitoring capabilities.
There are different types of cloud computing products: IaaS provides virtualized servers in the cloud; PaaS allows applications to be developed individually; SaaS allows service providers to deploy services with no development required and with a choice of functionality; and IaaS allows customers to choose the type of service they want to use. ” The term “PaaS” must fit the definition of “PaaS” because it requires that “the original application configuration remains the same”. Thus, the correct answer is, “The cloud provider provides a computing platform that may include an operating system, database, and web server, where the platform as a service is provided.” The following is the correct answer
×：The cloud provider is provided with an infrastructure as a service that provides a computing platform that can include an operating system, database, and web servers.
×：The cloud provider is provided with software services that provide an infrastructure environment similar to that of a traditional data center.
This is a description of the operational benefits of cloud computing. It is not a definition.
×：The cloud provider provides software as a service in a computing platform environment where application functionality is internalized.
#94. You are selecting a site for a new data center and offices. Which of the following is not a valid security concern?
Greenfield is undeveloped land that has not yet been built upon. The perspectives for selecting a site as a data center site include topography, utilities, and public safety.
- Topography refers to the physical shape of the landscape-hills, valleys, trees, streams.
- Utility refers to the degree to which power and internet in the area are reliable.
- Public safety is in terms of how high is the crime rate in the area and how close is the police force.
#95. Which of the following is true about digital forensics?
〇：It encompasses network and code analysis and is sometimes referred to as electronic data discovery.
Forensics is the analysis of electronic data that may have been affected by technology, authentication, and criminal activity requiring special techniques to ensure the preservation of information. It comes together of computer science, information technology and engineering in the legal system. When discussing digital forensics with others, it may be described as computer forensics, network forensics, electronic data discovery, cyber forensics, etc.
×：The study of computer technology.
Digital forensics is incorrect because it involves information technology rather than research. It encompasses the study of information technology, but also includes collecting and protecting evidence and working within specific legal systems.
×：A set of hardware-specific processes that must be followed in order for evidence to be admissible in court.
Digital forensics is incorrect because it does not refer to hardware or software. It is a set of specific processes related to computer usage, examination of residual data, technical analysis and description of technical characteristics of the data, and reconstruction of the authentication of data by computer usage that must be followed for the evidence to be admissible in court.
×：Before an incident occurs, digital forensics roles and responsibilities should be assigned to network administrators.
This is wrong because digital forensics must be done by people with the proper training and skill set who could not possibly be administrators or network administrators. Digital forensics can be fragile and must have been worked on properly. If someone reboots an attacked system or inspects various files, it could corrupt and change executable evidence, key file timestamps, and erase any footprints the criminal may have left behind.
#96. Which of the following are effective methods that you as a software system administrator can implement to prevent significant damage?
〇：Regular software updates
You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.
There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.
×：Sophisticated product selection
In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.
×：Early reporting to your supervisor
In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.
×：Human resources to monitor the system
A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.
#97. TLS is a protocol used to protect transactions that occur over an untrusted network. Which of the following is an appropriate description of what takes place during the setup process of a TLS connection?
〇：The client generates a session key and encrypts it with a public key.
Transport Layer Security (TLS) uses public key cryptography to provide data encryption, server authentication, message integrity, and optionally client authentication. When a client accesses a cryptographically protected page, the web server initiates TLS and begins the process of securing subsequent communications. The server performs a three-handshake to establish a secure session. After that, client authentication with a digital certificate, as the case may be, comes in. The client then generates a session key, encrypts it with the server’s public key, and shares it. This session key is used as the symmetric key for encrypting the data to be transmitted thereafter. Thus, the correct answer is: “The client generates a session key and encrypts it with the public key.” will be
×：The server generates the session key and encrypts it with the public key.
The server does not encrypt with the public key.
×：The server generates a session key and encrypts it with the private key.
Even if encryption is performed from the server side, it can be decrypted with the public key, so it is not structurally possible.
×：The client generates a session key and encrypts it with its private key.
The client side does not have the private key.
#98. Which of the following is NOT included in the risk assessment?
〇：Cessation of activities that pose a risk.
This question is about choosing what is not included. Discontinuing an activity that introduces risk is a way to address risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) within a company. If a company decides not to allow the use of IM because there is no business need to do so, banning this service is an example of risk avoidance. The risk assessment does not include the implementation of such measures. Therefore, the correct answer is “discontinue the activity that poses a risk”.
This is incorrect because identifying the asset is part of the risk assessment and is required to identify what is not included in the risk assessment. To determine the value of an asset, the asset must first be identified. Identifying and valuing assets is another important task of risk management.
This is incorrect because identifying threats is part of risk assessment and requires identifying what is not included in the risk assessment. A risk exists because a threat could exploit a vulnerability. If there are no threats, there are no risks. Risk links vulnerabilities, threats, and the resulting potential for exploitation to the business.
×：Risk analysis in order of cost
Analyzing risks in order of cost or criticality is part of the risk assessment process and is inappropriate because questions are asked to identify what is not included in the risk assessment. A risk assessment examines and quantifies the risks a company faces. Risks must be addressed in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to effectively address it.
#99. You are the security administrator for a large retail company. Their network has many different network devices and software appliances that generate logs and audit data. At one point, your staff is trying to determine if any suspicious activity is taking place in the network. However, reviewing all the log files is burdensome. Which of the following is the best solution for your company in this case?
Many organizations have implemented security event management systems, called Security Information and Event Management (SIEM) systems. They attempt to correlate log data collected from various devices (servers, firewalls, routers, etc.) and provide analysis capabilities. They also have solutions with networks (IDS, IPS, anti-malware, proxies, etc.) that collect logs in various proprietary formats that require centralization, standardization, and normalization. Therefore, the correct answer is SIEM.
×：Intrusion Detection System
Intrusion Detection System (IDS, Intrusion Detection System) is a mechanism that monitors the system and leads to passive actions. It does not have the ability to collect and analyze logs.
SOAR (Security Orchestration, Automation and Response) is a technology that enables efficient monitoring, understanding, decision-making and action on security incidents. It may be fulfilled by SOAR through intrinsic cause analysis, but it is not a solution used for the purpose of identifying if suspicious activity is taking place in the network.
×：Event correlation tools
The term “event correlation tool” does not exist, but may be a feature of a SIEM.
#100. Which of the following markup languages is used to allow sharing of application security policies and ensure that all applications follow the same security rules?
XACML allows two or more companies to have a trust model set up to share identity, authentication, and authorization methods. This means that when you authenticate against your own software, you can pass the authentication parameters to your partner. This allows them to interact with their partner’s software without having to authenticate more than once. This is done via XACML (Extensible Access Control Markup Language), which allows multiple organizations to share application security policies based on a trust model XACML is a markup language and processing model implemented in XML XACML is a markup language and processing model implemented in XML. It declares access control policies and describes how to interpret access control policies.
×：XML (Extensible Markup Language)
XML (Extensible Markup Language) is incorrect because it is a way to electronically code documents and represent data structures such as web services. XML is not used to share security information. XML is an open standard that is more robust than traditional HTML. In addition to serving as a markup language, XML also serves as the foundation for other industry-specific XML standards. With XML, companies can communicate with each other while using a markup language that meets their specific needs.
Service Provisioning Markup Language (SPML) is incorrect because it is used by companies to exchange user, resource, and service provisioning information rather than application security information. SPML is an XML-based framework developed by OASIS that allows enterprise platforms, such as web portals and application servers, to provision requests to multiple companies for the purpose of securely and quickly setting up web services and applications. It is intended to enable the generation of.
Incorrect because GML (Generalized Markup Language) is a method created by IBM for document formatting. It describes a document in terms of parts (chapters, paragraphs, lists, etc.) and their relationships (heading levels). GML was the predecessor of SGML (Standard Generalized Markup Language) and HTML (Hypertext Markup Language).