You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CISSP Practice Test 2 "
0 of 60 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CISSP certification
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Answered
Review
Question 1 of 60
1. Question
In a new implementation we have chosen to use Redundant Array of Independent Disks (RAID) 0 on a server, what does tell us about the disk configuration?
Correct
RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks
Incorrect
RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks
Unattempted
RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks
Question 2 of 60
2. Question
We are choosing a site to build a new data center and offices in. Which of these would NOT be a valid security concern?
Correct
Site Selection: Greenfield: Not built on yet; undeveloped land. Topography: the physical shape of the landscape – hills, valleys, trees, streams. Most often used in military sites where they can leverage (sometimes by altering) the topology for higher security. Utilities: How reliable is the power, the internet in the area? Crime: How high are the crime rates in the area? How close are the police?
Incorrect
Site Selection: Greenfield: Not built on yet; undeveloped land. Topography: the physical shape of the landscape – hills, valleys, trees, streams. Most often used in military sites where they can leverage (sometimes by altering) the topology for higher security. Utilities: How reliable is the power, the internet in the area? Crime: How high are the crime rates in the area? How close are the police?
Unattempted
Site Selection: Greenfield: Not built on yet; undeveloped land. Topography: the physical shape of the landscape – hills, valleys, trees, streams. Most often used in military sites where they can leverage (sometimes by altering) the topology for higher security. Utilities: How reliable is the power, the internet in the area? Crime: How high are the crime rates in the area? How close are the police?
Question 3 of 60
3. Question
We are using DAC (Discretionary Access Control) in our organization. What is DAC based on?
Correct
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
Incorrect
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
Unattempted
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
Question 4 of 60
4. Question
We are building a new data center, and we will use the new site for real-time backups of our most critical systems. In the conduits between the demarc and the new server room, there are a lot of power cables. Which type of networking cables would be the BEST to use between the demarc and the server room?
Correct
Fiber Optic Cables are not susceptible to EMI, so the cables can be run next to power cables with no adverse effects.
Incorrect
Fiber Optic Cables are not susceptible to EMI, so the cables can be run next to power cables with no adverse effects.
Unattempted
Fiber Optic Cables are not susceptible to EMI, so the cables can be run next to power cables with no adverse effects.
Question 5 of 60
5. Question
There are many types of financial motivated attacks. Which of these attacks is normally not of them?
Correct
Distributed Denial Of Service (DDOS) normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.
Incorrect
Distributed Denial Of Service (DDOS) normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.
Unattempted
Distributed Denial Of Service (DDOS) normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.
Question 6 of 60
6. Question
Attackers are using Distributed Denial Of Service (DDOS) attacks on our organization using UDP flood. How does that type of Distributed Denial Of Service (DDOS) attack work?
Correct
UDP (User datagram protocol) floods are used frequently for larger bandwidth Distributed Denial Of Service (DDOS) attacks because they are connectionless and it is easy to generate UDP messages from many different scripting and compiled languages.
Incorrect
UDP (User datagram protocol) floods are used frequently for larger bandwidth Distributed Denial Of Service (DDOS) attacks because they are connectionless and it is easy to generate UDP messages from many different scripting and compiled languages.
Unattempted
UDP (User datagram protocol) floods are used frequently for larger bandwidth Distributed Denial Of Service (DDOS) attacks because they are connectionless and it is easy to generate UDP messages from many different scripting and compiled languages.
Question 7 of 60
7. Question
With newer CPU (Central Processing Units) we can use pipelining, where each processor cycle does multiple tasks. Which of these are functions the CPU performs? (Select all that apply).
Correct
CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.
Incorrect
CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.
Unattempted
CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.
Question 8 of 60
8. Question
When, in telecommunications, we talk about the Demarc, what are we referring to?
Correct
Demarc – Point of Demarcation (POD): Where the ISP (Internet Service Provider) terminates their phone/internet lines and your network begins; most buildings only have one.
Incorrect
Demarc – Point of Demarcation (POD): Where the ISP (Internet Service Provider) terminates their phone/internet lines and your network begins; most buildings only have one.
Unattempted
Demarc – Point of Demarcation (POD): Where the ISP (Internet Service Provider) terminates their phone/internet lines and your network begins; most buildings only have one.
Question 9 of 60
9. Question
When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?
Correct
2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
Incorrect
2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
Unattempted
2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.
Question 10 of 60
10. Question
Different types of memory are made for specific tasks and functions in our hardware. Which of these are types of nonvolatile memory? (Select all that apply).
Correct
ROM (Read Only memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.
Incorrect
ROM (Read Only memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.
Unattempted
ROM (Read Only memory) is nonvolatile (retains memory after power loss). EEPROM (Electrically erasable programmable read only memory) – These are electrically erasable, you can use a flashing program. This is still called read only. The ability to write to the BIOS makes it vulnerable to attackers. PLD (Programmable logic devices) are programmable after they leave the factory (EPROM, EEPROM and flash memory). Not PROM.
Question 11 of 60
11. Question
For us to ensure CONTINUAL clean power in our data center, we would use which of these?
Correct
An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.
Incorrect
An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.
Unattempted
An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.
Question 12 of 60
12. Question
In our physical access control, we use gates and fences to ensure what happens?
Correct
Fences (Deterrence, Preventative): Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones, such as 8ft. (2.4m) can be a prevention mechanism. The purpose of the fences is to ensure that entrances/exits from the facility happen through only a few entry points (doors, gates, turnstiles). Gates (Deterrence, Preventative): Placed at control points at the perimeter. Used with the fences to ensure that access only happens through a few entry points.
Incorrect
Fences (Deterrence, Preventative): Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones, such as 8ft. (2.4m) can be a prevention mechanism. The purpose of the fences is to ensure that entrances/exits from the facility happen through only a few entry points (doors, gates, turnstiles). Gates (Deterrence, Preventative): Placed at control points at the perimeter. Used with the fences to ensure that access only happens through a few entry points.
Unattempted
Fences (Deterrence, Preventative): Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones, such as 8ft. (2.4m) can be a prevention mechanism. The purpose of the fences is to ensure that entrances/exits from the facility happen through only a few entry points (doors, gates, turnstiles). Gates (Deterrence, Preventative): Placed at control points at the perimeter. Used with the fences to ensure that access only happens through a few entry points.
Question 13 of 60
13. Question
Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?
Correct
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Incorrect
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Unattempted
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Question 14 of 60
14. Question
6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?
Correct
Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.
Incorrect
Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.
Unattempted
Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.
Question 15 of 60
15. Question
Which of these should NOT be part of our proper hardware disposal procedures?
Correct
Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.
Incorrect
Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.
Unattempted
Deleting a file just removes it from the table. Everything is still recoverable. Crushing, degaussing and overwriting should all be non-recoverable.
Question 16 of 60
16. Question
What would be a reason to do misuse case testing on our software?
Correct
Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
Incorrect
Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
Unattempted
Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.
Question 17 of 60
17. Question
We are building a new data center and the walls must be slab-to-slab. What does that mean?
Correct
Walls should be “slab to slab” (from the REAL floor to the REAL ceiling); if subflooring or sub ceilings are used, then they should be contained within the slab to slab walls.
Incorrect
Walls should be “slab to slab” (from the REAL floor to the REAL ceiling); if subflooring or sub ceilings are used, then they should be contained within the slab to slab walls.
Unattempted
Walls should be “slab to slab” (from the REAL floor to the REAL ceiling); if subflooring or sub ceilings are used, then they should be contained within the slab to slab walls.
Question 18 of 60
18. Question
When a penetration tester is doing a black box test, how much knowledge do they have about their target?
Correct
Black box Pen testing (Zero Knowledge): The attacker had no knowledge about the organization other than publicly available information. They start from the point an external attacker would.
Incorrect
Black box Pen testing (Zero Knowledge): The attacker had no knowledge about the organization other than publicly available information. They start from the point an external attacker would.
Unattempted
Black box Pen testing (Zero Knowledge): The attacker had no knowledge about the organization other than publicly available information. They start from the point an external attacker would.
Question 19 of 60
19. Question
When an attacker is using a brute force attack to break a password, what are they doing?
Correct
Brute Force: Using the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives that the data would be useless.
Incorrect
Brute Force: Using the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives that the data would be useless.
Unattempted
Brute Force: Using the entire key space (every possible key); with enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives that the data would be useless.
Question 20 of 60
20. Question
In which type of access control does subjects have clearance and object labels?
Correct
MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Incorrect
MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Unattempted
MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Question 21 of 60
21. Question
Our Disaster Recovery Plan (DRP) is a subplan of our Business Continuity Plan (BCP), and the DRP lifecycle has 4 distinct phases. What are those 4 phases? (Select all that apply).
Correct
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Incorrect
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Unattempted
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.
Question 22 of 60
22. Question
Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?
Correct
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
Incorrect
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
Unattempted
Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”
Question 23 of 60
23. Question
In the software capability maturity model, at which level are some processes “possibly repeatable with consistent results”?
Correct
Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Incorrect
Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Unattempted
Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
Question 24 of 60
24. Question
Which of these would be part of our Disaster Recovery Plan (DRP)?
Correct
Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.
Incorrect
Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.
Unattempted
Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.
Question 25 of 60
25. Question
What is the ISO 27002 standard focused on?
Correct
ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It focuses on Information Security Management Systems (ISMS).
Incorrect
ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It focuses on Information Security Management Systems (ISMS).
Unattempted
ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It focuses on Information Security Management Systems (ISMS).
Question 26 of 60
26. Question
Which of these is NOT a type of open-source software licensing?
Correct
Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.
Incorrect
Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.
Unattempted
Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.
Question 27 of 60
27. Question
We have tested our software and we have found over 10,000 flaws. What should our next steps be?
Correct
Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.
Incorrect
Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.
Unattempted
Now that we have completed our tests, just like on our log reviews, we need to use it and analyze the data we got from the testing. It can be huge amounts of data, and we need to prioritize what we act on first, what is acceptable and what is not. Think of the qualitative risk analysis, if it is low likelihood and low impact we may leave it alone and focus on higher priority items.
Question 28 of 60
28. Question
As part of our data disposal process, we overwrite all of the disk’s multiple times with random 0s and 1s. Sometimes that is NOT an option. When would that be?
Correct
Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Incorrect
Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Unattempted
Overwriting is done by writing 0s or random characters over the data. As far as we know, there is no tool available that can recover even single pass overwriting (not possible on damaged media).
Question 29 of 60
29. Question
When we list the Minimum Operating Requirements (MOR) for a system in our business impact analysis (BIA), what should it contain?
Correct
Minimum Operating Requirements (MOR) (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec’ed system to resume the business functionality.
Incorrect
Minimum Operating Requirements (MOR) (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec’ed system to resume the business functionality.
Unattempted
Minimum Operating Requirements (MOR) (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec’ed system to resume the business functionality.
Question 30 of 60
30. Question
When using the formal approval process, what is required to access data?
Correct
Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.
Incorrect
Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.
Unattempted
Formal Access Approval: Document from the data owner approving access to the data for the subject. Subject must understand all requirements for accessing the data and the liability involved if compromised, lost or destroyed. Appropriate Security Clearance is required as well as the Formal Access Approval.
Question 31 of 60
31. Question
As part of a security audit, we have found some security flaws. The IT Security team has been asked to suggest mitigation strategies using the OSI model. Which of these would address layer 7 issues?
Correct
Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.
Incorrect
Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.
Unattempted
Application layer firewalls are on the 7th OSI Layer. The key benefit of application layer firewalls is that they can understand certain applications and protocols. They see the entire packet; the packet isn’t decrypted until layer 6; any other firewall can only inspect the packet, but not the payload. They can detect if an unwanted application or service is attempting to bypass the firewall using a protocol on an allowed port, or detect if a protocol is being used any malicious way.
Question 32 of 60
32. Question
As part of our authentication process, we have issued our staff TOTP tokens. How do they work?
Correct
Something you have – Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.
Incorrect
Something you have – Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.
Unattempted
Something you have – Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.
Question 33 of 60
33. Question
Using the OSI model, which of these are COMMON layer 5-7 threats?
Correct
A computer worm is a standalone malware computer program that replicates itself to spread to other computers; they normally operate on OSI layer 5-7.
Incorrect
A computer worm is a standalone malware computer program that replicates itself to spread to other computers; they normally operate on OSI layer 5-7.
Unattempted
A computer worm is a standalone malware computer program that replicates itself to spread to other computers; they normally operate on OSI layer 5-7.
Question 34 of 60
34. Question
We are wanting to use the most commonly used database management system (DBMS) in our organization. What should we implement?
Correct
DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.
Incorrect
DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.
Unattempted
DBMS (database management system): The most common is SQL or a SQL derivative. A computer software application that interacts with the user, other applications, and the database itself to capture and analyze data. A general-purpose DBMS is designed to allow the definition, creation, querying, update, and administration of databases. MySQL, PostgreSQL, MongoDB, MariaDB, Microsoft SQL Server, Oracle, Sybase, SAP HANA, SQLite and IBM DB2.
Question 35 of 60
35. Question
On which layer of the OSI model would we consider physical security?
Correct
Layer 1: Physical Layer: wires, fiber, radio waves, hub, part of NIC, connectors (wireless).
Incorrect
Layer 1: Physical Layer: wires, fiber, radio waves, hub, part of NIC, connectors (wireless).
Unattempted
Layer 1: Physical Layer: wires, fiber, radio waves, hub, part of NIC, connectors (wireless).
Question 36 of 60
36. Question
In which of these protocols, is IPSEC built into and NOT added on later?
Correct
IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.
Incorrect
IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.
Unattempted
IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.
Question 37 of 60
37. Question
We have just signed a contract with a vendor for a Software as a Service (SaaS) implementation. Where does our responsibility start, and the vendor’s responsibility stop?
Correct
In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
Incorrect
In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
Unattempted
In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.
Question 38 of 60
38. Question
In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called?
Correct
Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.
Incorrect
Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.
Unattempted
Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.
Question 39 of 60
39. Question
We are doing security audits and we test against published standards. Which of these is NOT one of the standards we would test against?
Correct
RBAC is role based access control, not a security audit standard. SOC 2 and PCI-DSS are standards we audit against.
Incorrect
RBAC is role based access control, not a security audit standard. SOC 2 and PCI-DSS are standards we audit against.
Unattempted
RBAC is role based access control, not a security audit standard. SOC 2 and PCI-DSS are standards we audit against.
Question 40 of 60
40. Question
We are adding random data to our password hashes, to prevent attackers from successfully using rainbow table and dictionary attacks. What are we adding to the hash function?
Correct
Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.
Incorrect
Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.
Unattempted
Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.
Question 41 of 60
41. Question
We are implementing new networking infrastructure in our organization. The new infrastructure is using Carrier-sense multiple access with collision detection (CSMA/CD). What are we implementing?
Correct
CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.
Incorrect
CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.
Unattempted
CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.
Question 42 of 60
42. Question
We need to ensure we are compliant with all the laws and regulations of all the states, territories, and countries we operate in. How are the security breach notification laws in the US handled?
Correct
Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.
Incorrect
Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.
Unattempted
Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.
Question 43 of 60
43. Question
As part of our annual security audit we hired a pen testing company. What could be some of the tools they would use?
Correct
Social engineering is often the easiest way for pen testers to get the initial foothold on our network.
Incorrect
Social engineering is often the easiest way for pen testers to get the initial foothold on our network.
Unattempted
Social engineering is often the easiest way for pen testers to get the initial foothold on our network.
Question 44 of 60
44. Question
What could be a type of physical access control that we would use, to prevent cars and vans from entering our perimeter?
Correct
Bollards (Preventative): Used to prevent cars or trucks from entering an area while allowing foot traffic to pass. Often, shops use planters or similar; it looks prettier, but achieves the same goal. Most are static heavy duty objects, but some cylindrical versions can also be electronically raised or lowered to allow authorized traffic past a “no traffic” point. Some are permanent fixtures and can be removed with a key or other unlock function.
Incorrect
Bollards (Preventative): Used to prevent cars or trucks from entering an area while allowing foot traffic to pass. Often, shops use planters or similar; it looks prettier, but achieves the same goal. Most are static heavy duty objects, but some cylindrical versions can also be electronically raised or lowered to allow authorized traffic past a “no traffic” point. Some are permanent fixtures and can be removed with a key or other unlock function.
Unattempted
Bollards (Preventative): Used to prevent cars or trucks from entering an area while allowing foot traffic to pass. Often, shops use planters or similar; it looks prettier, but achieves the same goal. Most are static heavy duty objects, but some cylindrical versions can also be electronically raised or lowered to allow authorized traffic past a “no traffic” point. Some are permanent fixtures and can be removed with a key or other unlock function.
Question 45 of 60
45. Question
We have, for many years, used dogs as part of our physical security. However, we are considering implementing other physical security measures and stop using dogs. Which of these could be the reason we would consider NOT using dogs more?
Correct
Dogs (Deterrent, Detective, Compensating): Most often used in controlled, enclosed areas. Liability can be an issue. Dogs are trained to corner suspects and attack someone who’s fleeing. People often panic when they encounter a dog and run. Even if they’re in a secure area, the organization may still be liable for injuries.
Incorrect
Dogs (Deterrent, Detective, Compensating): Most often used in controlled, enclosed areas. Liability can be an issue. Dogs are trained to corner suspects and attack someone who’s fleeing. People often panic when they encounter a dog and run. Even if they’re in a secure area, the organization may still be liable for injuries.
Unattempted
Dogs (Deterrent, Detective, Compensating): Most often used in controlled, enclosed areas. Liability can be an issue. Dogs are trained to corner suspects and attack someone who’s fleeing. People often panic when they encounter a dog and run. Even if they’re in a secure area, the organization may still be liable for injuries.
Question 46 of 60
46. Question
In a new data center implementation, we are wanting to use IPv6 addresses. Which of these statements are TRUE about IPv6 addresses? (Select all that apply).
Correct
IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.
Incorrect
IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.
Unattempted
IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.
Question 47 of 60
47. Question
When attackers are war dialing, what are they trying to do?
Correct
War dialing: Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system. Not really done anymore, but know it for the exam.
Incorrect
War dialing: Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system. Not really done anymore, but know it for the exam.
Unattempted
War dialing: Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system. Not really done anymore, but know it for the exam.
Question 48 of 60
48. Question
We can use smart cards, tokens, passports, and IDs for which type of authentication?
Correct
Something you have – Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.
Incorrect
Something you have – Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.
Unattempted
Something you have – Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.
Question 49 of 60
49. Question
As part of our fault tolerance strategy we are using remote journaling. What does that do?
Correct
Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
Incorrect
Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
Unattempted
Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.
Question 50 of 60
50. Question
What is the PRIMARY reason we would implement clipping levels?
Correct
Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
Incorrect
Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
Unattempted
Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
Question 51 of 60
51. Question
What can Redundant Array of Independent Disks (RAID) protect us against, if we are using RAID with fault tolerance?
Correct
Redundant Array of Independent Disks (RAID) can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.
Incorrect
Redundant Array of Independent Disks (RAID) can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.
Unattempted
Redundant Array of Independent Disks (RAID) can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.
Question 52 of 60
52. Question
All of these are examples of Distributed Denial Of Service (DDOS) attacks, except one. Which of these is NOT a Distributed Denial Of Service (DDOS) attack?
Correct
There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.
Incorrect
There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.
Unattempted
There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.
Question 53 of 60
53. Question
When is it appropriate to install and use backdoors and maintenance hooks?
Correct
Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Incorrect
Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Unattempted
Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
Question 54 of 60
54. Question
When we are talking about data remanence, what does that refer to?
Correct
Data Remanence: Data left over after normal removal and deletion of data.
Incorrect
Data Remanence: Data left over after normal removal and deletion of data.
Unattempted
Data Remanence: Data left over after normal removal and deletion of data.
Question 55 of 60
55. Question
Which type of access control could we use to limit access outside of regular work hours?
Correct
Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
Incorrect
Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
Unattempted
Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
Question 56 of 60
56. Question
Which project management methodology uses a linear approach where each phase leads into the next and you can’t go back to a previous phase?
Correct
Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Incorrect
Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Unattempted
Waterfall: Very linear, each phase leads directly into the next. The unmodified waterfall model does not allow us to go back to the previous phase.
Question 57 of 60
57. Question
A pen tester is calling one of our employees. The pen tester explains to the employee the company will be hit with a lawsuit if he won’t do what he is told. Which type of social engineering is the pen tester using?
Correct
Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Incorrect
Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Unattempted
Social engineering uses people skills to bypass security controls. Intimidation (If you don’t bad thing happens) – Virus on the network, credit card compromised, lawsuit against your company, intimidation is most effective with impersonation and vishing attacks.
Question 58 of 60
58. Question
We use the CIA triad as a logical model for IT Security and the protection profile our organization wants. What does the A stand for in the CIA triad?
Correct
The CIA (Confidentiality, Integrity, Availability) Triad: Availability – We ensure authorized people can access the data they need, when they need to.
Incorrect
The CIA (Confidentiality, Integrity, Availability) Triad: Availability – We ensure authorized people can access the data they need, when they need to.
Unattempted
The CIA (Confidentiality, Integrity, Availability) Triad: Availability – We ensure authorized people can access the data they need, when they need to.
Question 59 of 60
59. Question
We are using the OSI model to categorize attacks and threats. Which of these are COMMON layer 2 threats?
Correct
ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.
Incorrect
ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.
Unattempted
ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.
Question 60 of 60
60. Question
We are using RAID-5 (Redundant Array of Independent Disks) on a one of our servers, that uses at least how many disks?
Correct
RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.
Incorrect
RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.
Unattempted
RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.
X
Use Page numbers below to navigate to other practice tests