Term
1. A security administrator is implementing a security program that addresses confidentiality and availability. Of the following choices, what else should the administrator include?
a. Ensure critical systems provide uninterrupted service.
b. Protect data in transit from unauthorized disclosure.
c. Ensure systems are not susceptible to unauthorized changes.
d. Secure data to prevent unauthorized disclosure. |
|
Definition
C. The administrator should ensure systems are not susceptible to unauthorized changes, and element of integrity. A security program should address the three core security principles of confidentiality, integrity, and availability; the system in the example is already addressing confidentiality and availability. Protecting data and security data to prevent unauthorized disclosure addresses confidentiality. Ensuring critical systems provide uninterrupted services addresses availability. |
|
|
Term
2. You need to transmit PII via email and you want to maintain its confidentiality. Of the following choices, which is the BEST solution?
a. Use hashes.
b. Encrypt it before sending.
c. Protect it with a digital signature.
d. Use RAID. |
|
Definition
| i. B. You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, non-repudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem. |
|
|
Term
3. Lisa manages network devices in your organization and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, she created hashes for these files and compares them with hashes she created on the same files the previous week. Which security goal is she pursuing?
a. Confidentiality
b. Integrity
c. Availability
d. Safety |
|
Definition
| B. She is pursuing integrity by verifying the configuration files have not changed. By verifying that the hashes are the same, she also verifies that the configuration files are the same. Confidentiality is enforced with encryption, access controls, and stenography. Availability ensures systems are up and operational when needed. Safety goals help ensure the safety of personnel and/or other assets. |
|
|
Term
4. An organization wants to provide protection against malware attacks. Administrators have installed antivirus software on all computers. Additionally, they implemented a firewall and an IDS on the network. Which of the following BEST identifies this principle?
a. Implicit deny
b. Layered security
c. Least privilege
d. Flood guard |
|
Definition
| B. Layered security (or defense in depth) implements multiple controls to provide several layers of protection. In this case, the antivirus software provides one layer of protection while the firewall and the intrusion detection system (IDS) provide additional layers. Implicit deny blocks the access unless it has been explicitly allowed. Least privilege ensures that users are granted only the access they need to perform their jobs, and no more. A flood guard attempts to block SYN flood attacks. |
|
|
Term
5. Homer called into the help desk and says he forgot his password. Which of the following choices is the BEST choice for what the help-desk professional should do?
a. Verify the user’s account exists.
b. Look up the user’s password and tell the user what it is.
c. Disable the user’s account
d. Reset the password and configure the password to expire after the first use. |
|
Definition
| D. In this scenario, it’s best to create a temporary password that expires after the first use, which forces the user to create a new password. It’s not necessary to verify the user’s account exists, but the help-desk professional should verify the identity of the user. Passwords should not be available in such a way that allows help-desk professionals to look them up. It is not necessary to disable a user account to reset the password. |
|
|
Term
6. Which type of authentication does a hardware token provide?
a. Biometric
b. PIN
c. Strong password
d. One-time password |
|
Definition
| D. A hardware token (such as an RSA token) uses a one-time password for authentication in the something you have factor of authentication. Biometric methods are in the something you are factor of authentication, such as a fingerprint. A PIN and a password are both in the something you know factor of authentication and do not require a hardware token. |
|
|
Term
7. Which type of authentication is a retina scan?
a. Multifactor
b. TOTP
c. Biometric
d. Dual-factor |
|
Definition
| C. A retina scan is a biometric method of authentication in the something you are factor of authentication. You need to combine two or more factors of authentication for dual-factor and multifactor authentication. A time-based One-Time Password (TOTP) is a protocol used to create passwords that expire after 30 seconds. |
|
|
Term
8. Users are required to log on to their computer with a smart card and PIN. Which of the following BEST describes this?
a. Single-factor authentication
b. Multifactor authentication
c. Mutual authentication
d. TOTP |
|
Definition
| B. Users authenticate with two factors of authentication in this scenario, which is multifactor authentication or dual-factor authentication. The smart card is in the something you have factor of authentication, and the PIN is in the something you know factor of authentication. They are using more than a single factor. Mutual authentication is when both entities in the authentication process authenticate with each other, but it doesn’t apply in this situation. A Time-based One-Time Password (TOTP) is a protocol used to create passwords that expire after 30 seconds. |
|
|
Term
9. Your company recent began allowing workers to telecommute from home one or more days a week. However, your company doesn’t currently have a remote access solution. They want to implement an AAA solution that supports different vendors. Which of the following is the BEST choice?
a. TACACS+
b. RADIUS
c. Circumference
d. SAML |
|
Definition
| B. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and account (AAA) protocol and is the best choice. TACACS+ is proprietary to Cisco, so it won’t support different vendor solutions. Diameter is preferable to RADIUS, but there is no such thing as a Circumference protocol. SAML is a SSO solution used with web-based applications. |
|
|
Term
10. Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. What does this describe?
a. Same sign-on
b. SAML
c. Single sign-on
d. Biometrics |
|
Definition
| C. This describes a single sign-on (SSO) solution in which users only have to log on once. Same sign-on indicates users can access multiple systems using the same credentials, but they still have to enter their credentials again each time they access a new resource. Security Assertion Markup Language (SAML) is a SSO solution used for web-based applications, but not all SSO solutions are using SAML. Biometrics is a method of authentication, such as a fingerprint, but isn’t a SSO solution. |
|
|
Term
11. Your organization issues users a variety of different mobile devices. However, management wants to reduce potential data losses I f the devices are lost or stolen. Which of the following is the BEST technical control to achieve this goal?
a. Cable locks
b. Risk assessment
c. Disk encryption
d. Hardening the systems |
|
Definition
| C. Disk encryption is a strong technical control that can mitigate potential data losses if mobile devices are lost or stolen. Cable locks are preventive controls that can prevent the theft of mobile devices such as laptops, but they don’t protect the data after the device is stolen. A risk assessment is a management control. Hardening systems helps make them more secure than their default configuration, but doesn’t necessarily protect data after the device is lost. |
|
|
Term
12. Your primary job activities include monitoring security logs, analyzing trend reports, and installing CCTV systems. Which of the following choices BEST identifies your responsibilities? (Select TWO)
a. Hardening systems
b. Detecting security incidents
c. Preventing incidents
d. Implementing monitoring controls |
|
Definition
| B, D. Monitoring security logs and analyzing trend reports are detective controls with the goal of detecting security incidents. Installing closed-circuit television (CCTV) systems is one example of implementing a monitoring control. Hardening a system is a preventive control that includes several steps such as disabling unnecessary services, but the scenario doesn’t describe these steps. Preventive controls attempt to prevent incidents, but the scenario describes detective controls. |
|
|
Term
13. A security professional has reported an increase in the number of tailgating violations into a secure data center. What can prevent this?
a. CCTV
b. Mantrap
c. Proximity card
d. Cipher lock |
|
Definition
| B. A mantrap is highly effective at preventing unauthorized entry and can also be sued to prevent tailgating. CCTV provides video surveillance and it can record unauthorized entry, but it can’t prevent it. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating, so this is as useful as a mantrap. A cipher lock is a door access control, but it can’t prevent tailgating. |
|
|
Term
14. You are redesigning your password policy. You want to ensure that users change their passwords regularly, but they are unable to reuse passwords. What settings should you configure? (Select THREE)
a. Maximum password age
b. Password length
c. Password history
d. Password complexity
e. Minimum password age |
|
Definition
| A, C, E. The maximum password age ensures users change their passwords regularly. The password history records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. The minimum password age prevents users from changing their password repeatedly to get back to their original password and should be used with the password history setting. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters. |
|
|
Term
15. An outside security auditor recently completed an in-depth security audit on your network. One of the issues he reported was related to passwords. Specifically, he found the following passwords used on the network: Pa$$, 1@W2, and G7bT3. What should be changed to avoid the problem shown with these passwords?
a. Password complexity
b. Password length
c. Password history
d. Password reuse |
|
Definition
| B. The password policy should be changed to increase the minimum password length of passwords. These passwords are only four and five characters long, which is too short to provide adequate security. They are complex because they include a mixture of at least three of the following character types: uppercase, lowercase letters, numbers, and special characters. Password history and password reuse should be addressed if users are reusing the same passwords, but the scenario doesn’t indicate this is a problem. |
|
|
Term
16. A recent security audit discovered several apparently dormant user accounts. Although users could long on to the accounts, no one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work apparently one week every quarter. What is the BEST response to this situation?
a. Remove the account expiration from the accounts
b. Delete the accounts
c. Reset the accounts
d. Disable the accounts |
|
Definition
| D. The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so they would have an expiration date. Because the contractors need to access the accounts periodically, it’s better to disable them rather than deleting them. Resetting the accounts implies you are changing the password, but this isn’t needed. |
|
|
Term
17. Your organization routinely hires contractors to assist with different projects. Administrators are rarely notified when a project ends and contractors leave. Which of the following is the BEST choice to ensure that contractors cannot log on with their account after they leave?
a. Enable account expiration
b. Enable an account enablement policy
c. Enable an account recovery policy
d. Enable generic accounts |
|
Definition
| A. The best choice is to enable account expiration so that the contractor accounts are automatically disabled at the end of their projected contract time period. If contracts are extended, it’s easy to enable the account and reset the account expiration date. Account disablement policies help ensure that any user accounts (not just contractors) are disabled when the user leaves the organization, but an account enablement policy isn’t a valid term. An account recovery policy allows administrators to recover accounts and associated security keys for ex-employees. It’s best to prohibit the use of generic accounts (such as the Guest account), so enabling generic accounts is not recommended. |
|
|
Term
18. Developers are planning to develop an application using role-based access control. Which of the following would they MOST likely include in their planning?
a. A listing of labels reflecting classification levels
b. A requirements list identifying need to know
c. A listing of owners
d. A matrix of functions matched with their required privileges |
|
Definition
| D. A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role-based access control model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control model specifies that every object has an owner and it might identify owners in a list. |
|
|
Term
19. An organization has implemented an access control model that enforces permissions based oon data labels assigned at different levels. What type of model is this?
a. DAC
b. MAC
c. Role-BAC
d. Rule-BAC |
|
Definition
| B. The mandatory access control (MAC) model uses labels assigned at different levels to restrict access. The discretionary access control (DAC) model assigns permissions based on object ownership. The role-based access control (role-BAC) model uses group –based privileges. The rule-based access control (rule-BAC) model uses that trigger in response to events. |
|
|
Term
20. Your organizations security policy requires that PII data at rest and PII data in transit be encrypted. Of the following choices, what would the organization use to achieve these objectives? (select TWO)
a. FTP
b. SSH
c. SMTP
d. PGP/GPG
e. HTTP |
|
Definition
| B, D. You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data in transit). While Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG) is primarily used to encrypt email, it can also be used to encrypt data at rest. File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in clear text unless they are combined with an encryption protocol. |
|
|
