Which of the following is not a type of attack used against access controls? George is assisting a prosecutor with a case against a hacker who attempted to break into the computer systems at George’s company. He provides system logs to the prosecutor for use as evidence, but the prosecutor insists that George testify in court about how he gathered the logs. What rule of evidence requires George’s testimony? Jim has been asked to individually identify devices that users are bringing to work as part of a new BYOD policy. The devices will not be joined to a central management system like Active Directory, but he still needs to uniquely identify the systems. Which of the following options will provide Jim with the best means of reliably identifying each unique device? Greg would like to implement application control technology in his organization. He would like to limit users to installing only approved software on their systems. What type of application control would be appropriate in this situation? Which pair of the following factors is key for user acceptance of biometric identification systems? Sally is wiring a gigabit Ethernet network. What cabling choices should she make to ensure she can use her network at the full 1000 Mbps she wants to provide to her users? For questions 7–9, please refer to the following scenario. Alex has been with the university he works at for more than 10 years. During that time, he has been a system administrator and a database administrator, and he has worked in the university’s help desk. He is now a manager for the team that runs the university’s web applications. Using the provisioning diagram shown here, answer the following questions. If Alex hires a new employee and the employee’s account is provisioned after HR manually inputs information into the provisioning system based on data Alex provides via a series of forms, what type of provisioning has occurred? Alex has access to B, C, and D. What concern should he raise to the university’s identity management team? When Alex changes roles, what should occur? Vivian works for a chain of retail stores and would like to use a software product that restricts the software used on point-of-sale terminals to those packages on a preapproved list. What approach should Vivian use? What type of motion detector senses changes in the electromagnetic fields in monitored areas? Don’s company is considering the use of an object-based storage system where data is placed in a vendor-managed storage environment through the use of API calls. What type of cloud computing service is in use? What is the minimum interval at which an organization should conduct business continuity plan refresher training for those with specific business continuity roles? What type of log file is shown in this figure?
Which one of the following technologies is not normally a capability of mobile device management (MDM) solutions? Alex is preparing to solicit bids for a penetration test of his company’s network and systems. He wants to maximize the effectiveness of the testing rather than the realism of the test. What type of penetration test should he require in his bidding process? What RADIUS alternative is commonly used for Cisco network gear and supports two-factor authentication? What type of fire extinguisher is useful against liquid-based fires? Which one of the following components should be included in an organization’s emergency response guidelines? Which one of the following disaster recovery test types involves the actual activation of the disaster recovery facility? Susan is configuring her network devices to use syslog. What should she set to ensure that she is notified about issues but does not receive normal operational issue messages? While Lauren is monitoring traffic on two ends of a network connection, she sees traffic that is inbound to a public IP address show up inside the production network bound for an internal host that uses an RFC 1918 reserved address. What technology should she expect is in use at the network border? Michelle is in charge of her organization’s mobile device management efforts and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen? Dogs, guards, and fences are all common examples of what type of control? In this diagram of the TCP three-way handshake, what should system A send to system B in step 3?
In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity? For questions 27–29, please refer to the following scenario. The large business that Jack works for has been using noncentralized logging for years. They have recently started to implement centralized logging, however, and as they reviewed logs, they discovered a breach that appeared to have involved a malicious insider. When the breach was discovered and the logs were reviewed, it was discovered that the attacker had purged the logs on the system that they compromised. How can this be prevented in the future? How can Jack detect issues like this using his organization’s new centralized logging? How can Jack best ensure accountability for actions taken on systems in his environment? What type of firewall uses multiple proxy servers that filter traffic based on analysis of the protocols used for each service? James is building a disaster recovery plan for his organization and would like to determine the amount of acceptable data loss after an outage. What variable is James determining? Which one of the following is not one of the canons of the (ISC)2 Code of Ethics? Dave is responsible for password security in his organization and would like to strengthen the security of password files. He would like to defend his organization against the use of rainbow tables. Which one of the following techniques is specifically designed to frustrate the use of rainbow tables? What is the process that occurs when the Session layer removes the header from data sent by the Transport layer? Which one of the following types of firewalls does not have the ability to track connection status between different packets? Alice wants to send Bob a message with the confidence that Bob will know the message was not altered while in transit. What goal of cryptography is Alice trying to achieve? Chris is troubleshooting an issue with his organization’s SIEM reporting. After analyzing the issue, he believes that the timestamps on log entries from different systems are inconsistent. What protocol can he use to resolve this issue? Alan is installing a fire suppression system that will kick in after a fire breaks out and protect the equipment in the data center from extensive damage. What metric is Alan attempting to lower? Which one of the following technologies is designed to prevent a web server going offline from becoming a single point of failure in a web application architecture? Alan is considering the use of new identification cards in his organization that will be used for physical access control. He comes across a sample card and is unsure of the technology. He breaks it open and sees the following internal construction. What type of card is this?
When an application or system allows a logged-in user to perform specific actions, it is an example of what? What is the minimum number of cryptographic keys necessary to achieve strong security when using the 3DES algorithm? Gina recently took the SSCP certification exam and then wrote a blog post that included the text of many of the exam questions that she experienced. What aspect of the (ISC)2 code of ethics is most directly violated in this situation? What type of access controls allow the owner of a file to grant other users access to it using an access control list? Which one of the following components is used to assign classifications to objects in a mandatory access control system? Tommy handles access control requests for his organization. A user approaches him and explains that he needs access to the human resources database to complete a headcount analysis requested by the CFO. What has the user demonstrated successfully to Tommy? Which one of the following is not a mode of operation for the Data Encryption Standard? Voice pattern recognition is what type of authentication factor? Which of the following is not a single sign-on implementation? Chris is conducting a risk assessment for his organization and has determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified? For questions 51–55, please refer to the following scenario. Concho Controls is a midsize business focusing on building automation systems. They host a set of local file servers in their on-premises data center that store customer proposals, building plans, product information, and other data that is critical to their business operations. Tara works in the Concho Controls IT department and is responsible for designing and implementing the organization’s backup strategy, among other tasks. She currently conducts full backups every Sunday evening at 8 p.m. and differential backups on Monday through Friday at noon. Concho experiences a server failure at 3 p.m. on Wednesday. Tara rebuilds the server and wants to restore data from the backups. What backup should Tara apply to the server first? How many backups in total must Tara apply to the system to make the data it contains as current as possible? In this backup approach, some data may be irretrievably lost. How long is the time period where any changes made will have been lost? If Tara followed the same schedule but switched the differential backups to incremental backups, how many backups in total would she need to apply to the system to make the data it contains as current as possible? If Tara made the change from differential to incremental backups and we assume that the same amount of information changes each day, which one of the following files would be the largest? Susan has discovered that the smart card–based locks used to keep the facility she works at secure are not effective because staff members are propping the doors open. She places signs on the doors reminding staff that leaving the door open creates a security issue, and she adds alarms that will sound if the doors are left open for more than five minutes. What type of controls has she put into place? During what phase of the electronic discovery reference model does an organization ensure that potentially discoverable information is protected against alteration or deletion? Marty discovers that the access restrictions in his organization allow any user to log into the workstation assigned to any other user, even if they are from completely different departments. This type of access most directly violates which information security principle? Which of the following tools is best suited to testing known exploits against a system? Denise is preparing for a trial relating to a contract dispute between her company and a software vendor. The vendor is claiming that Denise made a verbal agreement that amended their written contract. What rule of evidence should Denise raise in her defense? During which phase of the incident response process would an organization determine whether it is required to notify law enforcement officials or other regulators of the incident? Gordon is conducting a risk assessment for his organization and determined the amount of damage that flooding is expected to cause to his facilities each year. What metric has Gordon identified? Data is sent as bits at what layer of the OSI model? Angie is configuring egress monitoring on her network to provide added security. Which one of the following packet types should Angie allow to leave the network headed for the Internet? Harry would like to access a document owned by Sally stored on a file server. Applying the subject/object model to this scenario, who or what is the object of the resource request? Information about an individual like their name, Social Security number, date and place of birth, or their mother’s maiden name is an example of what type of protected information? Greg is building a disaster recovery plan for his organization and would like to determine the amount of time that it should take to restore a particular IT service after an outage. What variable is Greg calculating? What type of access control is intended to discover unwanted or unauthorized activity by providing information after the event has occurred? What business process typically requires sign-off from a manager before modifications are made to a system? Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy? For questions 71–74, please refer to the following scenario. Matthew and Richard are friends located in different physical locations who would like to begin communicating with each other using cryptography to protect the confidentiality of their communications. They exchange digital certificates to begin this process and plan to use an asymmetric encryption algorithm for the secure exchange of email messages. When Matthew sends Richard a message, what key should he use to encrypt the message? When Richard receives the message from Matthew, what key should he use to decrypt the message? Matthew would like to enhance the security of his communication by adding a digital signature to the message. What goal of cryptography are digital signatures intended to enforce? When Matthew goes to add the digital signature to the message, what encryption key does he use to create the digital signature? What type of motion detector uses high microwave frequency signal transmissions to identify potential intruders? Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario? Callback to a landline phone number is an example of what type of factor? Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower? Kim is the system administrator for a small business network that is experiencing security problems. She is in the office in the evening working on the problem, and nobody else is there. As she is watching, she can see that systems on the other side of the office that were previously behaving normally are now exhibiting signs of infection. What type of malware is Kim likely dealing with? What two logical network topologies can be physically implemented as a star topology? Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights? What type of inbound packet is characteristic of a ping flood attack? What penetration testing technique can best help assess training and awareness issues? GAD Systems is concerned about the risk of hackers stealing sensitive information stored on a file server. They choose to pursue a risk mitigation strategy. Which one of the following actions would support that strategy? Sally’s organization needs to be able to prove that certain staff members sent emails, and she wants to adopt a technology that will provide that capability without changing their existing email system. What is the technical term for the capability Sally needs to implement as the owner of the email system, and what tool could she use to do it? What type of virus is characterized by the use of two or more different propagation mechanisms to improve its likelihood of spreading between systems? Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication? Colleen is conducting a business impact assessment for her organization. What metric provides important information about the amount of time that the organization may be without a service before causing irreparable harm? The separation of network infrastructure from the control layer, combined with the ability to centrally program a network design in a vendor-neutral, standards-based implementation, is an example of what important concept? Ben is selecting an encryption algorithm for use in an organization with 10,000 employees. He must facilitate communication between any two employees within the organization. Which one of the following algorithms would allow him to meet this goal with the least time dedicated to key management? Which of the following is used only to encrypt data in transit over a network and cannot be used to encrypt data at rest? Which one of the following tools may be used to achieve the goal of nonrepudiation? When should an organization conduct a review of the privileged access that a user has to sensitive systems? Nessus, OpenVAS, and SAINT are all examples of what type of tool? Kolin is searching for a network security solution that will allow him to help reduce zero-day attacks while using identities to enforce a security policy on systems before they connect to the network. What type of solution should Kolin implement? How many possible keys exist when using a cryptographic algorithm that has an 8-bit binary encryption key? In what cloud computing model does the customer build a cloud computing environment in his or her own data center or build an environment in another data center that is for the customer’s exclusive use? What major issue often results from decentralized access control? In what model of cloud computing do two or more organizations collaborate to build a shared cloud computing environment that is for their own use? Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks? Which of the following statements is true about heuristic-based anti-malware software? Which one of the following malware types uses built-in propagation mechanisms that exploit system vulnerabilities to spread? When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred? Fred needs to deploy a network device that can connect his network to other networks while controlling traffic on his network. What type of device is Fred’s best choice? Match the following numbered types of testing methodologies with the lettered correct level of knowledge: Cloud computing uses a shared responsibility model for security, where the vendor and customer each bears some responsibility for security. The division of responsibility depends upon the type of service used. Place the cloud service offerings listed here in order from the case where the customer bears the least responsibility to where the customer bears the most responsibility. Bill implemented RAID level 5 on a server that he operates using a total of three disks. How many disks may fail without the loss of data? What network topology is shown here?
Which one of the following is normally used as an authorization tool? Ben is concerned about password cracking attacks against his system. He would like to implement controls that prevent an attacker who has obtained those hashes from easily cracking them. What two controls would best meet this objective? Mark is planning a disaster recovery test for his organization. He would like to perform a live test of the disaster recovery facility but does not want to disrupt operations at the primary facility. What type of test should Mark choose? Alice sends a message to Bob and wants to ensure that Mal, a third party, does not read the contents of the message while in transit. What goal of cryptography is Alice attempting to achieve? The company Chris works for has notifications posted at each door reminding employees to be careful to not allow people to enter when they do. Which type of controls best describes this? Jim is implementing an IDaaS solution for his organization. What type of technology is he putting in place? How many possible keys exist in a cryptographic algorithm that uses 6-bit encryption keys? When an attacker calls an organization’s help desk and persuades them to reset a password for them because of the help desk employee’s trust and willingness to help, what type of attack succeeded? Which one of the following is typically considered a business continuity task? What type of log is shown here?
Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create? For questions 120–122, please refer to the following scenario. Ben owns a coffeehouse and wants to provide wireless Internet service for his customers. Ben’s network is simple and uses a single consumer-grade wireless router and a cable modem connected via a commercial cable data contract. How can Ben provide access control for his customers without having to provision user IDs before they connect while also gathering useful contact information for his business purposes? Ben intends to run an open (unencrypted) wireless network. How should he connect his business devices? After implementing the solution from the first question, Ben receives a complaint about users in his cafe hijacking other customers’ web traffic, including using their usernames and passwords. How is this possible? Frank is the security administrator for a web server that provides news and information to people located around the world. His server received an unusually high volume of traffic that it could not handle and was forced to reject requests. Frank traced the source of the traffic back to a botnet. What type of attack took place? SYN floods rely on implementations of what protocol to cause denial-of-service conditions? What is the longest encryption key supported by the Advanced Encryption Standard (AES) algorithm?
Testing methodologies
Level of knowledge