CISSP Topic 4
Q201. Two computers, each with a single connection on the same physical 10 gigabit Ethernet network segment, need to communicate with each other. The first machine has a single Internet Protocol (IP) Classless Inter-Domain Routing (CIDR) address of 192.168.1.3/30 and the second machine has an IP/CIDR address
192.168.1.6/30. Which of the following is correct?
A. Since each computer is on a different layer 3 network, traffic between the computers must be processed by a network bridge in order to communicate
B. Since each computer is on the same layer 3 network, traffic between the computers may be processed by a network router in order to communicate
C. Since each computer is on the same layer 3 network, traffic between the computers may be processed by a network bridge in order to communicate
D. Since each computer is on a different layer 3 network, traffic between the computers must be processed by a network router in order to communicate
D
Q202. The Industrial Control System (ICS) Computer Emergency Response Team (CERT) has released an alert regarding ICS-focused malware specifically propagating through Windows-based business networks. Technicians at a local water utility note that their dams, canals, and locks controlled by an internal Supervisory
Control and Data Acquisition (SCADA) system have been malfunctioning. A digital forensics professional is consulted in the Incident Response (IR) and recovery.
Which of the following is the MOST challenging aspect of this investigation?
A. Group policy implementation
B. SCADA network latency
C. Physical access to the system
D. Volatility of data
C
Q203. Which of the following outsourcing agreement provisions has the HIGHEST priority from a security operations perspective?
A. Conditions to prevent the use of subcontractors
B. Terms for contract renegotiation in case of disaster
C. Root cause analysis for application performance issue
D. Escalation process for problem resolution during incidents
D
Q204. When determining data and information asset handling, regardless of the specific toolset being used, which of the following is one of the common components of big data?
A. Distributed storage locations
B. Centralized processing location
C. Distributed data collection
D. Consolidated data collection
C
Q205. Which evidence collecting technique would be utilized when it is believed an attacker is employing a rootkit and a quick analysis is needed?
A. Forensic disk imaging
B. Live response
C. Memory collection
D. Malware analysis
B
Q206. Which of the following examples is BEST to minimize the attack surface for a customer’s private information?
A. Data masking
B. Authentication
C. Obfuscation
D. Collection limitation
B
Q207. Information security practitioners are in the midst of implementing a new firewall. Which of the following failure methods would BEST prioritize security in the event of failure?
A. Failover
B. Fail-Closed
C. Fail-Safe
D. Fail-Open
B
Q208. To ensure proper governance of information throughout the lifecycle, which of the following should be assigned FIRST?
A. Owner
B. Classification
C. Custodian
D. Retention
A
Q209. The Chief Information Officer (CIO) has decided that as part of business modernization efforts the organization will move towards a cloud architecture. All business-critical data will be migrated to either internal or external cloud services within the next two years. The CIO has a PRIMARY obligation to work with personnel in which role in order to ensure proper protection of data during and after the cloud migration?
A. Chief Security Officer (CSO)
B. Information owner
C. Chief Information Security Officer (CISO)
D. General Counsel
B
Q210. An organization would like to ensure that all new users have a predefined departmental access template applied upon creation. The organization would also like additional access for users to be granted on a per-project basis. What type of user access administration is BEST suited to meet the organization’s needs?
A. Decentralized
B. Hybrid
C. Centralized
D. Federated
B
Q211. Which of the following should be done at a disaster site before any item is removed, repaired, or replaced?
A. Communicate with the press following the communications plan
B. Dispatch personnel to the disaster recovery (DR) site
C. Take photos of the damage
D. Notify all of the Board of Directors
B
Q212. Assuming an individual has taken all of the steps to keep their internet connection private, which of the following is the BEST to browse the web privately?
A. Store information about browsing activities on the personal device.
B. Prevent information about browsing activities from being stored on the personal device.
C. Prevent information about browsing activities from being stored in the cloud.
D. Store browsing activities in the cloud.
B
Q213. What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities?
A. Source code review
B. Threat modeling
C. Penetration testing
D. Manual inspections and reviews
B
Q214. The security organization is looking for a solution that could help them determine with a strong level of confidence that attackers have breached their network.
Which solution is MOST effective at discovering a successful network breach?
A. Developing a sandbox
B. Installing an intrusion detection system (IDS)
C. Deploying a honeypot
D. Installing an intrusion prevention system (IPS)
B
Q215. Which of the following is a covert channel type?
A. Pipe
B. Memory
C. Storage
D. Monitoring
C
Q216. The Chief Executive Officer (CEO) wants to implement an internal audit of the company’s information security posture. The CEO wants to avoid any bias in the audit process; therefore, has assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks the audit concludes that the company’s policies and procedures are sufficient, robust and well established. The CEO then moves on to engage an external penetration testing company in order to showcase the organization’s robust information security stance. This exercise reveals significant failings in several critical security controls and shows that the incident response processes remain undocumented. What is the MOST likely reason for this disparity in the results of the audit and the external penetration test?
A. The audit team lacked the technical experience and training to make insightful and objective assessments of the data provided to them.
B. The scope of the penetration test exercise and the internal audit were significantly different.
C. The external penetration testing company used custom zero-day attacks that could not have been predicted.
D. The information technology (IT) and governance teams have failed to disclose relevant information to the internal audit team leading to an incomplete assessment being formulated.
B
Q217. An organization with divisions in the United States (US) and the United Kingdom (UK) processes data comprised of personal information belonging to subjects living in the European Union (EU) and in the US. Which data MUST be handled according to the privacy protections of General Data Protection Regulation
(GDPR)?
A. Only the UK citizens’ data
B. Only the EU residents’ data
C. Only data processed in the UK
D. Only the EU citizens’ data
B
Q218. A security engineer is conducting an audit of an organization’s Voice over Internet Protocol (VoIP) phone network due to a large increase in charges from their phone provider. The engineer discovers unauthorized endpoints have connected to the phone server from the public internet and placed hundreds of unauthorized calls to parties around the globe. Which type of attack occurred?
A. Control eavesdropping
B. Toll fraud
C. Call hijacking
D. Address spoofing
B
Q219. Who is the BEST person to review developed application code to ensure it has been tested and verified?
A. A developer who knows what is expected of the application, but not the same one who developed it.
B. A member of quality assurance (QA) should review the developer’s code.
C. A developer who understands the application requirements document, and who also developed the code.
D. The manager should review the developer’s application code.
B
Q220. In which process MUST security be considered during the acquisition of new software?
A. Request for proposal (RFP)
B. Implementation
C. Vendor selection
D. Contract negotiation
A
Q221. An organization contracts with a consultant to perform a System Organization Control (SOC) 2 audit on their internal security controls. An auditor documents a finding a related to an Application Programming Interface (API) performing an action that is not aligned with the scope or objective of the system. Which trust service principle would be MOST applicable in th is situation?
A. Confidentiality
B. Processing Integrity
C. Security
D. Availability
B
Q222. Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?
A. Cutover
B. Parallel
C. Walkthrough
D. Tabletop
A
Q223. An organization is implementing security review as part of system development. Which of the following is the BEST technique to follow?
A. Perform incremental assessments.
B. Engage a third-party auditing firm.
C. Review security architecture.
D. Conduct penetration testing.
C
Q224. Which of the following is the MOST significant key management problem due to the number of keys created?
A. Exponential growth when using symmetric keys
B. Exponential growth when using asymmetric keys
C. Storage of the keys require increased security
D. Keys are more difficult to provision and revoke
A
Q225. The Chief Information Security Officer (CISO) of a small organization is making a case for building a security operations center (SOC). While debating between an in-house, fully outsourced, or a hybrid capability, which of the following would be the MAIN consideration, regardless of the model?
A. Headcount and capacity
B. Scope and service catalog
C. Skill set and training
D. Tools and technologies
B
Q226. Which of the following is a benefit of implementing data-in-use controls?
A. If the data is lost, it must be decrypted to be opened.
B. When the data is being viewed, it can only be printed by authorized users.
C. When the data is being viewed, it can be accessed using secure protocols.
D. If the data is lost, it may not be accessible to unauthorized users.
B
Q227. An organization is establishing a privacy program to ensure that personally identifiable information (PII) is properly protected. What is the FIRST action the organization should take to establish the program?
A. Appoint a senior official to oversee the privacy program.
B. Allocate sufficient resources to implement the privacy program.
C. Develop a strategic organizational privacy plan.
D. Monitor privacy laws and policy changes.
A
Q228. A company is planning to implement a private cloud infrastructure. Which of the following recommendations will support the move to a cloud infrastructure?
A. Implement software-defined networking (SDN) to provide the ability to apply high-level policies to shape and reorder network traffic based on users, devices and applications.
B. Implement a virtual local area network (VLAN) for each department and create a separate subnet for each VLAN.
C. Implement software-defined networking (SDN) to provide the ability for the network infrastructure to be integrated with the control and data planes.
D. Implement a virtual local area network (VLAN) to logically separate the local area network (LAN) from the physical switches.
A
Q229. What term is commonly used to describe hardware and software assets that are stored in a configuration management database (CMDB)?
A. Configuration item
B. Configuration element
C. Ledger item
D. Asset register
A
Q230. A security architect is implementing an authentication system for a distributed network of servers. This network will be accessed by users on workstations that cannot trust the identity of the user. Which solution should the security architect use to have the users trust one another?
A. One-way authentication
B. Kerberos
C. Mutual authentication
D. Single session software tokens
C
Q231. How is protection for hypervisor host and software administration functions BEST achieved?
A. Enforce network controls using a host-based firewall.
B. Deploy the management interface in a dedicated virtual network segment.
C. The management traffic pathway should have separate physical network interface cards (NIC) and network.
D. Deny permissions to specific virtual machines (VM) groups and objects.
C
Q232. Which type of log collection is focused on detecting and responding to attacks, malware infection, and data theft?
A. Intrusion detection
B. Operational
C. Security
D. Compliance
C
Q233. A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a third-party organization. The financial risk to the manufacturing organization starting production is high. What step should the manufacturing organization take to minimize its financial risk in the new venture prior to the purchase?
A. Require that the software be thoroughly tested by an accredited independent software testing company.
B. Hire a performance tester to execute offline tests on a system.
C. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system’s overall price.
D. Place the machine behind a Layer 3 firewall.
C
Q234. Which of the following should be included in a good defense-in-depth strategy provided by object-oriented programming for software development?
A. Polymorphism
B. Inheritance
C. Polyinstantiation
D. Encapsulation
D
Q235. Which Open Systems Interconnection (OSI) layer(s) BEST corresponds to the network access layer in the Transmission Control Protocol/Internet Protocol (TCP/
IP) model?
A. Data Link and Physical Layers
B. Session and Network Layers
C. Transport Layer
D. Application, Presentation, and Session Layers
A
Q236. What is the BEST design for securing physical perimeter protection?
A. Closed-circuit television (CCTV)
B. Business continuity planning (BCP)
C. Barriers, fences, gates, and walls
D. Crime Prevention through Environmental Design (CPTED)
D
Q237. An application is used for funds transfers between an organization and a third-party. During a security audit, an auditor has found an issue with the business continuity disaster recovery policy and procedures for this application. Which of the following reports should the auditor file with the organization?
A. Statement on Auditing Standards (SAS) 70-1
B. Statement on Auditing Standards (SAS) 70
C. Service Organization Control (SOC) 1
D. Service Organization Control (SOC) 2
D
Q238. Which of the following measures serves as the BEST means for protecting data on computers, smartphones, and external storage devices when traveling to high- risk countries?
A. Review applicable destination country laws, forensically clean devices prior to travel, and only download sensitive data over a virtual private network (VPN) upon arriving at the destination.
B. Leverage a Secure Socket Layer (SSL) connection over a virtual private network (VPN) to download sensitive data upon arriving at the destination.
C. Keep laptops, external storage devices, and smartphones in the hotel room when not in use.
D. Use multi-factor authentication (MFA) to gain access to data stored on laptops or external storage devices and biometric fingerprint access control mechanisms to unlock smartphones.
D
Q239. When developing an electronic health record (EHR) in the United States (US), which of the following would be the BEST source of information for any compliance requirements?
A. World Health Organization (WHO)
B. International Organization for Standardization (ISO)
C. Health and Human Services (HHS)
D. American Public Health Association (APHA)
C
Q240. In addition to life, protection of which of the following elements is MOST important when planning a data center site?
A. Data and hardware
B. Property and operations
C. Resources and reputation
D. Profits and assets
A
Q241. A company developed a web application which is sold as a Software as a Service (SaaS) solution to the customer. The application is hosted by a web server running on a specific operating system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined that the support team will need access to the application logs. Which of the following privileges would be the MOST suitable?
A. Administrative privileges on the hypervisor
B. Administrative privileges on the application folders
C. Administrative privileges on the web server
D. Administrative privileges on the OS
B
Q242. Which of the following determines how traffic should flow based on the status of the infrastructure layer?
A. Control plane
B. Application plane
C. Traffic plane
D. Data plane
A
Q243. An organization suspects it is receiving spoofed e-mails from a foreign-hosted web e-mail service. Where can the MOST relevant be found to begin the process of identifying the perpetrator?
A. E-mail logs from foreign-hosted web server
B. Message header of received e-mails
C. Traffic logs from the corporate firewall
D. Log files of the corporate Simple Mail Transfer Protocol (SMTP) server
B
Q244. When testing password strength, which of the following is the BEST method for brute forcing passwords?
A. Conduct an offline attack on the hashed password information.
B. Use a comprehensive list of words to attempt to guess the password.
C. Use social engineering methods to attempt to obtain the password.
D. Conduct an online password attack until the account being used is locked.
A
Q245. Which of the following is the MOST common cause of system or security failures?
A. Lack of physical security controls
B. Lack of change control
C. Lack of logging and monitoring
D. Lack of system documentation
B
Q246. An organization has discovered that organizational data is posted by employees to data storage accessible to the general public. What is the PRIMARY step an organization must take to ensure data is properly protected from public release?
A. Implement a user reporting policy.
B. Implement a data encryption policy.
C. Implement a user training policy.
D. Implement a data classification policy.
D
Q247. Which audit type is MOST appropriate for evaluating the effectiveness of a security program?
A. Analysis
B. Threat
C. Assessment
D. Validation
C
Q248. Which of the following BEST represents a defense in depth concept?
A. Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion prevention system (NIPS), Port security on core switches
B. Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker, Laptop locks, hard disk drive (HDD) encryption
C. Endpoint security management, network intrusion detection system (NIDS), Network Access Control (NAC), Privileged Access Management (PAM), security information and event management (SIEM)
D. Web application firewall (WAF), Gateway network device tuning, Database firewall, Next-Generation Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning
C
Q249. When conducting a remote access session using Internet Protocol Security (IPSec), which Open Systems Interconnection (OSI) model layer does this connection use?
A. Presentation
B. Transport
C. Network
D. Data link
C
Q250. Which of the following statements BEST distinguishes a stateful packet inspection firewall from a stateless packet filter firewall?
A. The SPI inspects traffic on a packet-by-packet basis.
B. The SPI inspects the flags on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets.
C. The SPI is capable of dropping packets based on a pre-defined rule set.
D. The SPI inspects the traffic in the context of a session.
D
Q251. A database server for a financial application is scheduled for production deployment. Which of the following controls will BEST prevent tampering?
A. Data sanitization
B. Data validation
C. Service accounts removal
D. Logging and monitoring
B
Q252. An organization is developing employee training content to increase awareness of Payment Card Industry (PCI) standards. What are the three types of awareness roles applicable to the organization?
A. All personnel, specialized, management
B. Standard, privileged, administrator
C. Basic, intermediate, advanced
D. Technical, operational, administrative
A
Q253. An organization acquired used technological equipment. This equipment will be integrated with new and existing business processes. What is the MOST appropriate consideration to identify the equipment that requires protection?
A. Total monetary value of the acquisition
B. The age of the computing hardware
C. Stakeholder concerns of how the assets are used
D. Length and extent of support by the vendor
D
Q254. While reviewing a web application-to-application connection, a security professional finds the use of Representational State Transfer (REST) application programming interfaces (API) and identifies it as secure. Which one of the following connection Uniform Resource Locators (URL) applies to this scenario?
A. https://url.com/Resources//action?apiKey=a399ikjiuynj
B. http://url.com/SecureTLS//action
C. http://url.com/Resources//action?apiKey=a399ikjiuynj
D. https://url.com/Resources//action
D
Q255. A company hired an external vendor to perform a penetration test of a new payroll system. The company’s internal test team had already performed an in-depth application and security test of the system and determined that it met security requirements. However, the external vendor uncovered significant security weaknesses where sensitive personal data was being sent unencrypted to the tax processing systems. What is the MOST likely cause of the security issues?
A. Inadequate performance testing
B. Inadequate application level testing
C. Failure to perform negative testing
D. Failure to perform interface testing
D
Q256. Which of the following virtual network configuration options is BEST to protect virtual machines (VM)?
A. Data segmentation
B. Data encryption
C. Traffic filtering
D. Traffic throttling
C
Q257. In setting expectations when reviewing the results of a security test, which of the following statements is MOST important to convey to reviewers?
A. The accuracy of testing results can be greatly improved if the target(s) are properly hardened.
B. The results of the tests represent a point-in-time assessment of the target(s).
C. The deficiencies identified can be corrected immediately.
D. The target’s security posture cannot be further compromised.
B
Q258. An organization has determined that its previous waterfall approach to software development is not keeping pace with business demands. To adapt to the rapid changes required for product delivery, the organization has decided to move towards an Agile software development and release cycle. In order to ensure the success of the Agile methodology, who is the MOST critical in creating acceptance criteria for each release?
A. Business customers
B. Software developers
C. Independent testers
D. Project managers
A
Q259. Which of the following languages supports a modular program structure and was designed for military and real-time systems?
A. C++
B. Personal Home Page (PHP)
C. Ada
D. Java
C
Q260. Which of the following is MOST effective method of defending against zero-day malware threats?
A. Client firewalls
B. Client event logging
C. Client application whitelisting
D. Client antivirus
C
Q261. A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?
A. Educate and train key stakeholders.
B. Measure effectiveness of the program’s stated goals.
C. Determine a budget and cost analysis for the program.
D. Select and procure supporting technologies.
D
Q262. Which of the following is the BEST method to perform an end-to-end testing on production for both operational and security requirements?
A. Synthetic transaction analysis.
B. Dynamic code analysis
C. Static code analysis
D. Vulnerability analysis
B
Q263. In designing the architecture of an access control system, it was determined that confidentiality and controlled access to information were the primary focus. Which of the following security models is the BEST choice for the organization?
A. Biba integrity model
B. Clark-Wilson model
C. Bell-LaPadula model
D. Brewer-Nash model
C
Q264. Wi-Fi Protected Access 2 (WPA2) is a security protocol designed with which of the following security feature?
A. Encryption control
B. Malware attack protection
C. Data availability
D. Replay attack protection
A
Q265. Concerning appropriate data retention policies, which of the following is the MAIN risk factor for the availability of archived information?
A. Data stored in third-party environments.
B. Data maintained offline requires a higher time to access.
C. Data recorded in obsolete media cannot be read.
D. Retention of data involves a cost.
A
Q266. Which function does 802.1X provide?
A. Network intrusion detection system (NIDS)
B. Wireless access point (WAP)
C. Wi-Fi Protected Access (WPA)
D. Network Access Control (NAC)
D
Q267. During the change management process, which of the following is used to identify and record new risks?
A. Risk assessment
B. Lessons learned register
C. Risk register
D. Risk report
C
Q268. A senior security engineer has been tasked with ensuring the confidentiality and integrity of the organization’s most valuable personally identifiable information (PII). This data is stored on local file and database servers within the organization’s data center. The following security measures have been implemented to ensure that unauthorized access is detected and logged.
• Network segmentation and enhanced access logging of the database and file servers
• Implemented encryption of data at rest
• Implemented full packet capture of the network traffic in and out of the sensitive network segment
• Ensured all transaction log data and packet captures are backed up to corporate backup appliance within the corporate backup network segment
Which of the following is the MOST likely way to exfiltrate PII while avoiding detection?
A. Unauthorized access to the file server via Secure Shell (SSH)
B. Unauthorized access to the database server via a compromised web application
C. Unauthorized access to the database server via a compromised user account
D. Unauthorized access to the backup server via a compromised service account
B
Q269. What BEST describes data ownership?
A. Geographic sovereignty
B. Confidentiality and integrity
C. Accuracy and precision
D. Legal responsibilities
D
Q270. A new internal auditor is tasked with auditing the supply chain. The system owner stated that the last internal auditor was terminated because the auditor discovered too many deficient controls. The auditor reports this conversation to their manager. Which of the following audit integrity principles BEST applies to this situation?
A. Demonstrate competence while performing professional duties.
B. Perform professional duties with honesty, diligence, and responsibility.
C. Perform professional duties in accordance with company policy.
D. Be aware of any influences that may be exerted on professional judgement.
B
Q271. The client of a security firm reviewed a vulnerability assessment report and claims the report is inaccurate. The client states that the vulnerabilities listed are not valid because the host’s operating system (OS) was not properly detected. Where in the vulnerability assessment process did the error MOST likely occur?
A. Report writing
B. Detection
C. Enumeration
D. Scanning
D
Q272. Which of the following measures is the MOST critical in order to safeguard from a malware attack on a smartphone?
A. Enable strong password.
B. Install anti-virus for mobile.
C. Enable biometric authentication.
D. Prevent jailbreaking or rooting.
D
Q273. Which of the following MOST accurately describes the Security Target (ST) in the Common Criteria framework?
A. The set of rules that define how resources or assets are managed and protected
B. A product independent set of security criteria for a class of products
C. The product and documentation to be evaluated
D. A document that includes a product specific set of security criteria
D
Q274. A Chief Information Security Officer (CISO) is considering various proposals for evaluating security weaknesses and vulnerabilities at the source code level. Which of the following items BEST equips the CISO to make smart decisions for the organization?
A. The Common Weakness Risk Analysis Framework (CWRAF)
B. The Common Vulnerabilities and Exposures (CVE)
C. The Common Weakness Enumeration (CWE)
D. The Open Web Application Security Project (OWASP) Top Ten
A
Q275. Prohibiting which of the following techniques is MOST helpful in preventing users from obtaining confidential data by using statistical queries?
A. Sequences of queries that refer repeatedly to the same population
B. Repeated queries that access multiple databases
C. Selecting all records from a table and displaying all columns
D. Running queries that access sensitive data
A
Q276. What is the MOST effective way to ensure that a cloud service provider does not access a customer’s data stored within its infrastructure?
A. Use the organization’s encryption tools and data management controls.
B. Ensure that the cloud service provider will contractually not access data unless given explicit authority.
C. Request audit logs on a regular basis.
D. Utilize the cloud provider’s key management and elastic hardware security module (HSM) support.
A
Q277. Which of the following access control mechanisms characterized subjects and objects using a set of encoded security-relevant properties?
A. Mandatory access control (MAC)
B. Role-based access control (RBAC)
C. Attribute-based access control (ABAC)
D. Discretionary access control (DAC)
C
Q278. Which of the following is a MUST for creating a new custom-built, cloud-native application designed to be horizontally scalable?
A. Network as a Service (NaaS)
B. Platform as a Service (PaaS)
C. Infrastructure as a Service (IaaS)
D. Software as a Service (SaaS)
C
Q279. Which of the following should exist in order to perform a security audit?
A. Neutrality of the auditor
B. Industry framework to audit against
C. External (third-party) auditor
D. Internal certified auditor
B
Q280. The Open Web Application Security Project’s (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to measure organizational impact based on what risk management aspect?
A. Risk exception
B. Risk tolerance
C. Risk treatment
D. Risk response
C
Q281. When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?
A. Service Organization Control (SOC) 1, Type 2
B. Service Organization Control (SOC) 2, Type 2
C. International Organization for Standardization (ISO) 27001
D. International Organization for Standardization (ISO) 27002
B
Q282. Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is used to distribute keys, but cannot be used to encrypt or decrypt messages?
A. Kerberos
B. Digital Signature Algorithm (DSA)
C. Diffie-Hellman
D. Rivest-Shamir-Adleman (RSA)
C
Q283. What is the benefit of using Network Admission Control (NAC)?
A. NAC only supports Windows operating systems (OS).
B. NAC supports validation of the endpoint’s security posture prior to allowing the session to go into an authorized state.
C. NAC can require the use of certificates, passwords, or a combination of both before allowing network admission.
D. Operating system (OS) versions can be validated prior to allowing network access.
B
Q284. What is the FIRST step prior to executing a test of an organization’s disaster recovery (DR) or business continuity plan (BCP)?
A. Develop clear evaluation criteria.
B. Identify key stakeholders.
C. Develop recommendations for disaster scenarios.
D. Identify potential failure points.
A
Q285. The development team has been tasked with collecting data from biometric devices. The application will support a variety of collection data streams. During the testing phase, the team utilizes data from an old production database in a secure testing environment. What principle has the team taken into consideration?
A. Biometric data cannot be changed.
B. The biometric devices are unknown.
C. Biometric data must be protected from disclosure.
D. Separate biometric data streams require increased security.
C
Q286. What is the PRIMARY benefit of incident reporting and computer crime investigations?
A. Complying with security policy
B. Repairing the damage and preventing future occurrences
C. Providing evidence to law enforcement
D. Appointing a computer emergency response team
B
Q287. What are the first two components of logical access control?
A. Authentication and availability
B. Authentication and identification
C. Identification and confidentiality
D. Confidentiality and authentication
B
Q288. An organization is formulating a strategy to provide access to third-party partners. The information technology (IT) department has been tasked with providing access by utilizing cloud services. Which of the following technologies is MOST commonly employed for completing the task?
A. Identity as a Service (IDaaS)
B. Firewall as a service
C. Infrastructure as a Service (IaaS)
D. Software as a Service (SaaS)
A
Q289. Which of the following is the MOST effective way to ensure hardware and software remain updated throughout an organization?
A. Performance of frequent security configuration audits
B. Performance of regular vulnerability scans
C. Use an inventory management tool
D. Use an automated configuration monitoring system
D
Q290. A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which method MUST be used to store these passwords to ensure offline attacks are difficult?
A. Use an encryption algorithm that is fast with a random per-user encryption key.
B. Use a hash function that is fast with a per-user random salt.
C. Use a hash function with a cost factor and a per-user random salt.
D. Use an encryption algorithm with a random master key.
C
Q291. A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of good enterprise data classification?
A. A printout of the employee code of conduct marked “shareable with restrictions” is posted in the hallway where patients have access.
B. A printout of the employee code of conduct marked “internal use only” is posted in the waiting room.
C. A memo regarding a newly discovered data breach marked as “internal use only” is posted on the wall in the employee lunchroom.
D. An electronic health record (EHR) with personally identifiable information (PII) marked as “sharable with restrictions” is found in the employee lunchroom.
C
Q292. If a medical analyst independently provides protected health information (PHI) to an external marketing organization, which ethical principal is this a violation of?
A. Higher ethic in the worst case
B. Informed consent
C. Change of scale test
D. Privacy regulations
D
Q293. In order to meet the project delivery deadline, a web application developer used readily available software components. Which is the BEST method for reducing the risk associated with this practice?
A. Ensure developers are using approved software development frameworks.
B. Obtain components from official sources over secured link.
C. Ensure encryption of all sensitive data in a manner that protects and defends against threats.
D. Implement a process to verify the effectiveness of the software components and settings.
B
Q294. Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?
A. Use antivirus and endpoint protection on the server to secure the web-based application
B. Place the web-based system in a defined Demilitarized Zone (DMZ)
C. Use .NET framework with .aspx extension to provide a higher level of security to the web application so that the web server display can be locked down
D. Not returning any HTML tags to the browser client
D
Q295. The Chief Information Security Officer (CISO) of a large financial institution is responsible for implementing the security controls to protect the confidentiality and integrity of the organization’s Information Systems. Which of the controls below is prioritized FIRST?
A. Firewall and reverse proxy
B. Web application firewall (WAF) and HyperText Transfer Protocol Secure (HTTPS)
C. Encryption of data in transit and data at rest
D. Firewall and intrusion prevention system (IPS)
C
Q296. Which kind of dependencies should be avoided when implementing secure design principles in software-defined networking (SDN)?
A. Hybrid
B. Circular
C. Dynamic
D. Static
B
Q297. Which of the following features is MOST effective in mitigating against theft of data on a corporate mobile device which has been stolen?
A. Mobile Device Management (MDM) with device wipe
B. Mobile device tracking with geolocation
C. Virtual private network (VPN) with traffic encryption
D. Whole device encryption with key escrow
A
Q298. What security principle addresses the issue of “Security by Obscurity”?
A. Open design
B. Role Based Access Control (RBAC)
C. Segregation of duties (SoD)
D. Least privilege
A
Q299. A breach investigation found a website was exploited through an open source component. What is the FIRST step in the process that could have prevented this breach?
A. Application whitelisting
B. Vulnerability remediation
C. Web application firewall (WAF)
D. Software inventory
B
Q300. Why would a system be structured to isolate different classes of information from one another and segregate them by user jurisdiction?
A. The organization is required to provide different services to various third-party organizations.
B. The organization can avoid e-discovery processes in the event of litigation.
C. The organization’s infrastructure is clearly arranged and scope of responsibility is simplified.
D. The organization can vary its system policies to comply with conflicting national laws.
C
