You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CISSP Practice Test 1 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CISSP certification
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
Question 1 of 60
1. Question
Our organization has been court ordered to comply with the “Data Protection Directive” in the EU. What is one of the things we need to do in order to do that?
Correct
EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.
Incorrect
EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.
Unattempted
EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.
Question 2 of 60
2. Question
What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?
We are implementing some new standards and framework in our organization. We chose to use scoping on one of the standards we are implementing. What does scoping mean?
Correct
Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.
Incorrect
Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.
Unattempted
Scoping is determining which portion of a standard we will deploy in our organization. We take the portions of the standard that we want or that apply to our industry, and determine what is in scope and what is out of scope for us.
Question 4 of 60
4. Question
In our software testing, if we are doing a white box test, how much information would we have?
Correct
White box software testing: The tester has full access to program source code, data structures, variables, etc.
Incorrect
White box software testing: The tester has full access to program source code, data structures, variables, etc.
Unattempted
White box software testing: The tester has full access to program source code, data structures, variables, etc.
Question 5 of 60
5. Question
There are many different types of attacks on intellectual property. Which of these is a COMMON type of attack on trademarks?
There are none. This is security through obscurity. If discovered, anyone is allowed to use it.
Correct
The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.
Incorrect
The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.
Unattempted
The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.
Question 6 of 60
6. Question
We use many different names for different types of networks. When our engineers are talking about the extranet, what are they referring to?
Correct
An Extranet is a connection between private Intranets, often connecting business partners’ Intranets.
Incorrect
An Extranet is a connection between private Intranets, often connecting business partners’ Intranets.
Unattempted
An Extranet is a connection between private Intranets, often connecting business partners’ Intranets.
Question 7 of 60
7. Question
We are using a hot site secondary data center as part of DR (Disaster Recovery) plan. What would we have at the hot site?
Correct
Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.
Incorrect
Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.
Unattempted
Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.
Question 8 of 60
8. Question
We use different risk analysis approaches and tools in our risk assessments. In which type of risk analysis would you see these terms? Exposure factor (EF), Asset Value (AV), and Annual Rate of Occurrence (ARO)?
Correct
Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?
Incorrect
Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?
Unattempted
Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?
Question 9 of 60
9. Question
Which of these would be the PRIMARY reason we would chose to use hash functions?
Correct
Hash Functions (One-Way Hash Functions) are used for Integrity: A variable-length plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.
Incorrect
Hash Functions (One-Way Hash Functions) are used for Integrity: A variable-length plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.
Unattempted
Hash Functions (One-Way Hash Functions) are used for Integrity: A variable-length plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.
Question 10 of 60
10. Question
When we talk about data, we look at the 3 states it can be in. In which of those states, are we unable to protect the data by using encryption?
Correct
Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Incorrect
Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Unattempted
Data in Use: (We are actively using the files/data, it can’t be encrypted). Use good practices: Clean Desk policy, Print Policy, Allow no ‘Shoulder Surfing’, maybe the use of view angle privacy screen for monitors, locking computer screen when leaving workstation.
Question 11 of 60
11. Question
We have acquired a competing organization and your team is working on the risk analysis for the applications they use internally. You would use which of these as PART of your Qualitative Risk Analysis?
Correct
Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.
Incorrect
Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.
Unattempted
Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on “how likely is it to happen and how bad is it if it happens?” It is often done to know where to focus the Quantitative Risk Analysis.
Question 12 of 60
12. Question
Jane has been tasked with finding multifactor authentication solutions for our organization. Which of these is TRUE multifactor authentication?
Correct
Multifactor authentication requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.
Incorrect
Multifactor authentication requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.
Unattempted
Multifactor authentication requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.
Question 13 of 60
13. Question
Acting ethically is very important, especially for IT security professionals. If we look at the IAB’s “Ethics and the Internet,” which of these behaviors does it NOT consider unethical?
Correct
IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 – Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.
Incorrect
IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 – Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.
Unattempted
IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 – Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.
Question 14 of 60
14. Question
When we use single-use passwords and one-time pads, we are using which type of authentication?
Correct
Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Incorrect
Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Unattempted
Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Question 15 of 60
15. Question
When we are doing quantitative risk analysis, what does the Asset Value (AV) tell us?
Correct
Asset Value (AV) – How much is the asset worth?
Incorrect
Asset Value (AV) – How much is the asset worth?
Unattempted
Asset Value (AV) – How much is the asset worth?
Question 16 of 60
16. Question
We want to mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that?
Correct
A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
Incorrect
A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
Unattempted
A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,
Question 17 of 60
17. Question
Which of these describes Type 1 authentication?
Correct
Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Incorrect
Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Unattempted
Something you know – Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Question 18 of 60
18. Question
Jane has written a book on IT security. With books, copyright is automatically granted, and Jane owns all the rights to her materials. How long are copyrighted materials protected after the creator’s death?
If we want to implement a type of encryption that uses discrete logarithms, which of these could we choose?
Correct
Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
Incorrect
Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
Unattempted
Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.
Question 20 of 60
20. Question
The US HIPAA laws have 3 core rules. Which of these is NOT one of them?
Correct
HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.
Incorrect
HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.
Unattempted
HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.
Question 21 of 60
21. Question
Which of these types of data destruction would we use to ensure there is no data remanence on our PROM, flash memory, and SSD drives?
Correct
We can’t overwrite, format or degauss PROM. The only way to ensure destruction is shredding.
Incorrect
We can’t overwrite, format or degauss PROM. The only way to ensure destruction is shredding.
Unattempted
We can’t overwrite, format or degauss PROM. The only way to ensure destruction is shredding.
Question 22 of 60
22. Question
Which type of networking circuits would we use to ensure the traffic ALWAYS uses the same path?
Correct
Circuit switching – Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.
Incorrect
Circuit switching – Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.
Unattempted
Circuit switching – Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.
Question 23 of 60
23. Question
Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code?
Correct
4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
Incorrect
4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
Unattempted
4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.
Question 24 of 60
24. Question
We are adding hashing to our passwords. Which of these is a hashing function we could consider?
Correct
Hash Functions: RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
Incorrect
Hash Functions: RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
Unattempted
Hash Functions: RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.
Question 25 of 60
25. Question
We have hired an IT security firm to do penetration testing on our organization. Which of these could be something they would use?
Correct
Kali Linux is a version of Linux designed for hackers, it is a toolkit with many different attack vectors.
Incorrect
Kali Linux is a version of Linux designed for hackers, it is a toolkit with many different attack vectors.
Unattempted
Kali Linux is a version of Linux designed for hackers, it is a toolkit with many different attack vectors.
Question 26 of 60
26. Question
We have decided to change the type of hashing we use to a newer version that is collision resistant. What happens when a hash collision occurs?
Correct
Collisions: When 2 hashes of different data provide the same hash. It is possible, but very unlikely.
Incorrect
Collisions: When 2 hashes of different data provide the same hash. It is possible, but very unlikely.
Unattempted
Collisions: When 2 hashes of different data provide the same hash. It is possible, but very unlikely.
Question 27 of 60
27. Question
When an attacker is using Distributed Denial Of Service (DDOS) attacks, which leg of the CIA Triad is that meant to disrupt?
Correct
When we get hit by a Distributed Denial Of Service (DDOS), is disrupts our availability, but not integrity or confidentiality.
Incorrect
When we get hit by a Distributed Denial Of Service (DDOS), is disrupts our availability, but not integrity or confidentiality.
Unattempted
When we get hit by a Distributed Denial Of Service (DDOS), is disrupts our availability, but not integrity or confidentiality.
Question 28 of 60
28. Question
Object-oriented programming tends to lean towards which programming process?
Correct
Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.
Incorrect
Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.
Unattempted
Bottom-up Programming: Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system. OOP leans tends toward Bottom-Up, you start by developing your objects and build up.
Question 29 of 60
29. Question
We need to get rid of some old hard drives, and we need to ensure proper data disposal and no data remanence. Which of these options has NO known tools that can restore the data once that specific disposal process has been used?
Correct
We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Incorrect
We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Unattempted
We can still recover files from deleted, formatted or reinstalled drives. Overwriting is done by writing 0’s or random characters over the data. As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Question 30 of 60
30. Question
You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?
Correct
Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.
Incorrect
Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.
Unattempted
Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.
Question 31 of 60
31. Question
Jane is implementing Quality of Service (QoS) on our network. Which of these is one of the KEY benefits of QOS?
Correct
QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.
Incorrect
QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.
Unattempted
QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.
Question 32 of 60
32. Question
We are using server clustering on critical applications. What is the MAIN purpose of server clustering?
Correct
Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”
Incorrect
Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”
Unattempted
Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, “are you alive, are you alive…”
Question 33 of 60
33. Question
The CIA triad is of the foundational pieces of IT Security. We want to find the right mix of confidentiality, integrity and availability and we want to ensure none of the legs are compromised. Which of these is NOT one of the CIA triad opposite?
Correct
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Incorrect
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Unattempted
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality – We keep our data and secrets secret. Integrity – We ensure the data has not been altered. Availability – We ensure authorized people can access the data they need, when they need to.
Question 34 of 60
34. Question
Which type of authentication is the WORST to have compromised, because we are unable to reissue it?
Correct
Something you are – Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.
Incorrect
Something you are – Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.
Unattempted
Something you are – Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.
Question 35 of 60
35. Question
If we are looking for information on a specific systems hardware, which of our plans could we find that in?
Correct
DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.
Incorrect
DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.
Unattempted
DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.
Question 36 of 60
36. Question
Which are the COMMON US military clearance levels?
Correct
The US military uses: Top-secret, secret, confidential and unclassified.
Incorrect
The US military uses: Top-secret, secret, confidential and unclassified.
Unattempted
The US military uses: Top-secret, secret, confidential and unclassified.
Question 37 of 60
37. Question
Which of these types of memory keeps the data they store, as long as they have power and the data is NOT overwritten?
Correct
SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
Incorrect
SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
Unattempted
SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.
Question 38 of 60
38. Question
In which order would these recovery site options be ranked from the highest to the lowest cost?
Correct
Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.
Incorrect
Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.
Unattempted
Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.
Question 39 of 60
39. Question
Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?
Correct
HIPAA is the Health Insurance Portability and Accountability Act.
Incorrect
HIPAA is the Health Insurance Portability and Accountability Act.
Unattempted
HIPAA is the Health Insurance Portability and Accountability Act.
Question 40 of 60
40. Question
As part of our software testing, we are performing regression testing. What does that mean?
Correct
Regression testing: Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.
Incorrect
Regression testing: Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.
Unattempted
Regression testing: Finding defects after a major code change has occurred. Looks for software regressions, as degraded or lost features, including old bugs that have come back.
Question 41 of 60
41. Question
We are using social engineering, which of these are effective types of social engineering?
Correct
Social engineering is often more successful if is uses one or more of these approaches: authority, intimidation, consensus, scarcity, urgency, or familiarity.
Incorrect
Social engineering is often more successful if is uses one or more of these approaches: authority, intimidation, consensus, scarcity, urgency, or familiarity.
Unattempted
Social engineering is often more successful if is uses one or more of these approaches: authority, intimidation, consensus, scarcity, urgency, or familiarity.
Question 42 of 60
42. Question
Which of these countermeasures would be effective against rainbow tables?
Correct
Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.
Incorrect
Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.
Unattempted
Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.
Question 43 of 60
43. Question
In our data centers we have redundancy on many things. Looking at our servers, which of these elements are commonly NOT redundant?
Correct
Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.
Incorrect
Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.
Unattempted
Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.
Question 44 of 60
44. Question
Which kind of type 3 authentication errors are the WORST?
Correct
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Incorrect
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Unattempted
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Question 45 of 60
45. Question
At the quarterly leadership conference, you are talking about threats to our environments and one of the participants asks you to define what a threat is. Which of these could be your answer?
Correct
Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)
Incorrect
Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)
Unattempted
Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)
Question 46 of 60
46. Question
Our networking department is recommending we use a simplex solution for an implementation. What is one of the KEY FEATURES of simplex solutions?
Correct
Simplex is a one-way communication (one system transmits, the other listens).
Incorrect
Simplex is a one-way communication (one system transmits, the other listens).
Unattempted
Simplex is a one-way communication (one system transmits, the other listens).
Question 47 of 60
47. Question
In a Business Impact Analysis (BIA) assessment, which of these statements would be acceptable?
Correct
MTD ? RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.
Incorrect
MTD ? RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.
Unattempted
MTD ? RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.
Question 48 of 60
48. Question
All but one of these are networking topologies we could use in our design. Which is NOT a network topology?
Correct
Matrix is not a network topology. Ring, Mesh and Star are network topologies.
Incorrect
Matrix is not a network topology. Ring, Mesh and Star are network topologies.
Unattempted
Matrix is not a network topology. Ring, Mesh and Star are network topologies.
Question 49 of 60
49. Question
We have implemented contactless ID cards in our organization. Which type of technology do they use?
Correct
Contactless Cards – can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.
Incorrect
Contactless Cards – can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.
Unattempted
Contactless Cards – can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.
Question 50 of 60
50. Question
Which of these COMMON frameworks focuses on Information Technology Service Management (ITSM)?
Correct
ITIL – Information Technology Infrastructure Library. IT Service Management (ITSM).
Incorrect
ITIL – Information Technology Infrastructure Library. IT Service Management (ITSM).
Unattempted
ITIL – Information Technology Infrastructure Library. IT Service Management (ITSM).
Question 51 of 60
51. Question
Which type of Redundant Array of Independent Disks (RAID) configuration ALWAYS provides redundancy?
Correct
Disk mirroring: Writing the same data across multiple hard disks, this is slower, the Redundant Array of Independent Disks (RAID) controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.
Incorrect
Disk mirroring: Writing the same data across multiple hard disks, this is slower, the Redundant Array of Independent Disks (RAID) controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.
Unattempted
Disk mirroring: Writing the same data across multiple hard disks, this is slower, the Redundant Array of Independent Disks (RAID) controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.
Question 52 of 60
52. Question
Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?
Correct
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Incorrect
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Unattempted
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Question 53 of 60
53. Question
What is the difference between freeware and shareware?
Correct
Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Incorrect
Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Unattempted
Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.
Question 54 of 60
54. Question
Which of these is NOT related to security misconfigurations (OWASP A5)?
Correct
While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
Incorrect
While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
Unattempted
While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.
Question 55 of 60
55. Question
The NSA wanted to embed the clipper chip on all motherboards. Which encryption algorithm did the chip use?
Correct
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
Incorrect
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
Unattempted
The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages” with a built-in backdoor. It used SkipJack, a block cipher.
Question 56 of 60
56. Question
When we buy software from a vendor, what should we ALWAYS do?
Correct
Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.
Incorrect
Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.
Unattempted
Buying software from other companies: When we buy software from vendors either COTS (Commercial Off The Shelf) or custom built software we need to ensure it is as secure as we need it to be. Vendors claims of security posture should until proven be seen as marketing claims. We need to do our due care and due diligence, as well as use outside council if needed.
Question 57 of 60
57. Question
In our best practice password policy, which of these would be allowed?
Correct
Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Incorrect
Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Unattempted
Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word “password.” Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Question 58 of 60
58. Question
Which of these backup types would NOT clear the archive bit on Windows systems?
Correct
Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.
Incorrect
Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.
Unattempted
Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.
Question 59 of 60
59. Question
Which type of disaster would we classify an earthquake as?
Correct
Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.
Incorrect
Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.
Unattempted
Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.
Question 60 of 60
60. Question
When we design our defense in depth, we use multiple overlapping controls. Which of these is a type of preventative access control?
Correct
Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.
Incorrect
Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.
Unattempted
Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.
X
Use Page numbers below to navigate to other practice tests