ISC2 – Exam Preparation QUIZ – 1

Log review should happen continually, in order to ensure detection efforts are optimized. B is the correct answer. A, C and D are incorrect; logs need to be reviewed on a continual basis.

B is correct. A lock on a door restricts physical access to the area on the other side of the door to only those personnel who have the appropriate entry mechanism (key, badge, etc.).  A and C are both technical/logical controls. D is an administrative control.

In asymmetric encryption, each party needs their own key pair (a public key and a private key) to engage in confidential communication. B is the correct answer. A, C and D are incorrect; in asymmetric encryption, each party needs their own key pair for confidential communication.

The AUP describes how users will be permitted to use the organization's IT assets. B is the correct answer. A, C and D are incorrect; while these are all common policies, they do not serve the same function as the AUP.

A is the correct answer. The process itself is an administrative control; rules and practices are administrative. The safe itself is physical, but the question asked specifically about process, not the safe, so C is incorrect. Neither the safe nor the process is  part of the IT environment, so this is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.

Hashing is a means to provide an integrity check. A is the correct answer. B is incorrect; this term is meaningless, and used here only as a distractor. C and D are incorrect; neither symmetric encryption nor asymmetric encryption provides message integrity.

HVAC stands for "heating, ventilation and air conditioning," and is a common industry term. B is correct. A is incorrect; RBAC is an access control model. C is incorrect; MAC is the physical address of an IT device.

A is correct. Biometric systems can be extremely accurate, especially when compared with other types of access controls. B, C and D are all potential concerns when using biometric data, so those answers are incorrect in this context.

A is correct. In this situation, Prachi is the subject in the subject-object-rule relationship. Prachi manipulates the database; this makes Prachi the subject. B and D are incorrect, because Prachi is the subject in this situation. C is incorrect, because Prachi is not, and never will be, a file.

D is the correct answer. All data needs some form of security; even data that is not sensitive (such as data intended for public view) needs protection to ensure availability.  A, B and C are incorrect; all data needs some form of security protection.

D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software firewall is not a rule or process. Without trying to confuse the issue, a software firewall might incorporate an administrative control: the set of rules which the firewall uses to allow or block particular traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is not a term commonly used to describe a particular type of security control, and is used here only as a distractor.

RBAC can aid in reducing "privilege creep," where employees who stay with the company for a long period of time might get excess permissions within the environment. A is the correct answer. B and C are incorrect; MAC and DAC do not offer this type of assurance. D is incorrect; logging will demonstrate user activity, but doesn't aid in reducing excess permissions.

B is correct. A biometric security system works by capturing and recording a physiological trait of the authorized person and storing it for comparison whenever that person presents the same trait in the future. A is incorrect; access control information should not be broadcast. C is incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant access later. D is incorrect; biometric data should not be modified, or it may become useless for comparison purposes.

B is correct; IaaS offers the customer the most control of the cloud environment, in terms of common cloud service models. A is incorrect; this is not a common cloud service model. C and D are incorrect; IaaS offers the customer more control than any other common cloud service model.

C is correct. Physical controls, such as fences, walls and bollards, will be most likely to ensure cars cannot collide with pedestrians by creating actual barriers between cars and pedestrians. A is incorrect; administrative controls (such as signage and written directions) may be helpful in this situation, but not as helpful as physical controls. B is incorrect because technical controls are typically associated with IT environments and less practical for physical interactions; while helpful, technical controls would most likely not be as useful as physical controls in this situation. D is incorrect because "nuanced" is not a common type of security control, and the word is only used here as a distractor.

C is correct. Availability is enhanced by ensuring that elements of the data center are replicated, in case any given individual element fails. A is incorrect; this is the opposite of redundancy—is any single element is unique, that could become a single point of failure and affect the overall operation. B is incorrect; while secure destruction is worth planning for, that will come at the end of the system life cycle and is not part of ensuring availability. D is incorrect; we generally don't care what color the elements of a data center are.

A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the question referred to authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiation and privacy are oppositional).

At the end of the retention period, data should be securely destroyed. A is the correct answer. B, C and D are incorrect; data must be securely destroyed at the end of the retention period.

A is Correct. This is the description of a privileged account; an account that typically needs greater permissions than a basic user. B and C are incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or from outside. D is incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.

A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed by multiple users. C is the correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide specific services. D is incorrect; a laptop is typically only assigned to a single user.

B is correct: The GDPR is the EU law that treats privacy as a human right. A is incorrect because there is no Privacy Human Rights Act, which is only used here as a distractor. C is incorrect because the Magna Carta is a British law describing the relationship between the monarchy and the people, and does not mention privacy. D is incorrect because the Constitution is the basis of United States federal law, and does not mention privacy. 

B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are not a governmental mandate. C is incorrect, because the instructions are particular to a specific product, not accepted throughout the industry. D is incorrect, because the instructions are not particular to a given organization.

The use of multiple types of controls enhances overall security. D is correct. A, B and C are all incorrect, because no single type of control can provide adequate protection of an environment.

B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Members from across the organizations participate in the planning to ensure all systems, processes and operations are accounted for in the plan. A is incorrect; business continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.

Patches can sometimes cause unintended problems in the environment, so an organization must always be prepared to rollback the environment to the last known good state prior to when the patch was applied. D is the correct answer. A is incorrect; typically, vendors offer patches as part of long-term support for their products, at no extra cost. B is incorrect; we patch systems so that we do not have to replace them with new ones. C is incorrect; patching does not often lead to lawsuits.

B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk concepts, but are not things that a practitioner would protect.

Repeated login attempts can resemble an attack on the network; attackers might try to log in to a user's account multiple times, using different credentials, in a short time period, in an attempt to determine the proper credentials. D is correct. A is incorrect; security policies and processes are not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the delay is not designed to help users remember credentials.

With asymmetric encryption, Bluga can provide proof-of-origin for the message, for multiple recipients. B is the correct answer. A is incorrect; symmetric encryption does not provide a capability for proof of origin. C is incorrect; this term is meaningless, and used here only as a distractor. D is incorrect; hashing is not encryption, and does not provide proof of origin.

Firewalls filter traffic in order to enhance the overall security or performance of the network, or both. D is the correct answer. A is incorrect; "endpoint" is the term used to describe a device involved in a networked communication, at either "end" of a conversation. B is incorrect; laptops are not typically employed to filter network traffic. C is incorrect; MAC is the physical address of a device on a network.

C is the best answer. Aphrodite is required by the ISC2 Code of Ethics to "provide diligent and competent service to principals." This includes reporting policy violations to Triffid management (Triffid is the principal, in this case). A policy violation of this type is not a crime, so law enforcement does not need to be involved, and ISC2 has no authority over Triffid policy enforcement or employees.

DAC gives managers the most choice in determining which employees get access to which assets. C is the correct answer. A and B are incorrect; RBAC and MAC do not offer the same kind of flexibility that DAC does. D is incorrect; "security policy" is too broad and vague to be applicable; C is the better answer.

C is the correct answer. Keeping systems up to date is typically part of both the configuration management process and enacting best security practices. A, B and D are incorrect; these activities are neither part of the configuration management process nor a best security practice.

This is a textbook example of an on-path attack, where the attackers insert themselves between communicating parties. C is the correct answer. A is incorrect; a side channel attack is entirely passive, and typically does not include surveilling actual data (it instead surveils operational activity, such as changes in power usage, emissions and so forth). B is incorrect; a DDOS attack involves multiple machines flooding the target to overwhelm the target; Gary is neither shutting down the target nor using multiple devices in the attack. D is incorrect; a physical attack involves tangible materials. An example of a physical attack would be Gary cutting the wire between Linda and Dauphine, so that they could not communicate.

C is correct. Defense in depth is the use of multiple different (and different types of) overlapping controls to provide sufficient  security. A and B are incorrect; nothing in the question suggested that two-person integrity or segregation of duties are being used in Parvi's workplace. D is incorrect; this is not a description of penetration testing.

Role-based access controls often function in this manner, where the employee's job responsibilities dictate exactly which kinds of access the employee has. This also enforces the concept of "least privilege." A is the correct answer. B and C are incorrect; those access control models don't function in the same way as RBAC. D is incorrect; there is no ATAC in this context, and the term is only used here as a distractor.

"Wiring closet" is the common term used to described small spaces, typically placed on each floor of a building, where IT infrastructure can be placed. A, C and D are incorrect; these are not common terms used in this manner.

A is correct. An event that is has a significant probability of occurring ("high-likelihood") and also has a severe negative consequence ("high-impact") poses the most risk. The other answers all pose less risk, because either the likelihood or impact is described as "low." This is not to say that these risks can be dismissed, only that they are less significant than the risk posed by answer A

B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve the purpose of synchronization.

D is the best answer. According to the third Canon of the ISC2 Code of Ethics, members are required to "provide diligent and competent service to principals." Hoshi's principal here is Triffid, Hoshi's employer. It would be inappropriate for Hoshi to select the cousin's product solely based upon the family relationship; however, if the cousin's product is, in fact, the best choice for Triffid, then Hoshi should recommend that product. In order to avoid any appearance of impropriety or favoritism, Hoshi needs to declare the relationship when making the recommendation.

A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood, is worth the risk. B is incorrect; if Sophia used avoidance, Sophia would not place the bet. C is incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or legal) way to reduce the risk that Sophia will lose the bet. D is incorrect; if Sophia wanted to transfer the risk, Sophia might ask some friends to each put up a portion of the bet, so that they would all share the loss (or winnings) from the bet.

C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols are either not efficient or not secure in Barry's intended use.

D is correct. We typically do not ask privileged account holders for security deposits. A, B, and C are incorrect; those are appropriate controls to enact for privileged accounts.

D is correct. The city council is a governmental body making a legal mandate; this is a law. A is incorrect; the rule is not a policy used by a specific organization, but instead applies to anyone within the jurisdiction of the Grampon city council. B is incorrect; this rule is not a process to follow. C is incorrect; this rule is not recognized outside the jurisdiction of the Grampon city council.

A firewall is a solution used to filter traffic between networks, including between the internal environment and the outside world. D is the correct answer. A and B are incorrect; a turnstile and a fence are physical access control mechanisms. C is incorrect; a vacuum does not affect network traffic, and the term is used here only as a distractor.

D is correct; a virtual private network protects communication traffic over untrusted media. A is incorrect; the internet is an untrusted medium. B is incorrect; VLANs are used to segment portions of the internal environment. C is incorrect; MAC is the physical address of a given networked device.

C is correct. The Common Body of Knowledge is used throughout the industry, recognized among many people, countries and organizations. This is a standard. A is incorrect; the CBK is not a set of internal rules used for a particular organization; it is used throughout the industry. B is incorrect. The CBK is not a process that is followed; it is a set of information. D is incorrect; the CBK is not mandated by a governmental body.

A is correct. The municipal code was created by a governmental body and is a legal mandate; this is a law. The Triffid checklist is a detailed set of actions which must be used by Triffid employees in specific circumstances; this is a procedure. B and C are incorrect; neither document is recognized throughout the industry, so neither is a standard. D is incorrect; neither document is a strategic internal overview issued by senior management, so neither is a policy.

Hashing is used for integrity checks. B is the correct answer. A, C and D are incorrect; hashing only provides integrity.

Log data should be protected with security as high, or higher, than the security level of the systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on log data.

D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the database in order to perform as a database administrator, but does not need to view or modify the data in the database itself in order to perform the job. A and B are incorrect; "defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of) overlapping controls to protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in Prachi's activity.

The IP address is the logical address assigned to a device connected to a network or the Internet. B is the correct answer. A is incorrect; the MAC address of a device is its physical address. C is incorrect; the geophysical address is typically the postal address assigned to a building, not an IT device. D is incorrect; "terminal address" has no meaning in this context, and is only used here as a distractor.

B is correct. The ISC2 Code of Ethics requires that members "advance and protect the profession"; this includes protecting test security for ISC2 certification material. ISC2 (and every ISC2 member) has a vested interest in protecting test material, and countering any entity that is trying to undermine the validity of the certifications. This is, however, not a matter for law enforcement; if it turns out that law enforcement must be involved, ISC2 will initiate that activity. Glen's employer has no bearing on this matter.

B is the best answer. The ISC2 Code of Ethics requires that members "protect society, the common good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malware for offensive purposes. However, the Code does not make ISC2 members into law enforcement officers; there is no requirement to get involved in legal matters beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's own protection) document when participation started and stopped, but no other action is necessary on Tina's part.

Water is typically the least expensive type of fire-suppression system, as water is one of the most common chemicals on the planet. A is correct. B is incorrect; dirt is usually only used in the suppression of forest fires. C and D are incorrect; gaseous/oxygen depletion systems are typically much, much more expensive than water-based systems.

DDOS is an availability attack, often typified by recognizable network traffic; either too much traffic to be processed normally, or malformed traffic. A is the correct answer. B and C are incorrect, because in both these kinds of attacks, the attacker wants the IT environment to continue working properly—if the attacker shut down the environment, the attacker wouldn't be able to use spoofed credentials or exfiltrate stolen data. D is incorrect, because loss of power is not recognized by network traffic, it is recognized by lack of functionality.

A is correct. An intrusion is an attempt (successful or otherwise) to gain unauthorized access. B is incorrect; the question does not mention what specific attack or vulnerability was used. C and D are incorrect; the organization did not grant unauthorized access or release the files.

B is correct. Alternate operations are typically more costly than normal operations, in terms of impact to the organization; extended alternate operations could harm the organization as much as a disaster. A is incorrect; typically, alternate operations are safer than normal operations. C is incorrect; this would actually be an argument for delaying alternate operations, but it doesn't make much sense. D is incorrect; competition is always a risk, but doesn't have anything to do with DR efforts.

Labeling is the practice of annotating assets with classification markings. D is the correct answer. A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are visible. B is incorrect; privacy is associated with information that identifies a specific person (or specific people). C is incorrect; this term has no meaning in this context, and is used here only as a distractor.

D is correct. A facial photograph is something you are—your appearance. A is incorrect because a credit card is an example of an authentication factor that is something you have. B is incorrect because passwords and PINs are examples of authentication factors that are something you know. C is incorrect because a user ID is an identity assertion, not an authentication factor.

Discretionary access control is a model wherein permissions are granted by operational managers, allowing them to make the determination of which personnel can get specific access to particular assets controlled by the manager. B is the correct answer. A is incorrect; in mandatory access control, managers do not have the authority (discretion) to determine who gets access to specific assets. C is incorrect; in role-based access control, managers do not have the authority to determine who gets access to particular assets. D is incorrect; defense in depth is not an access control model, it's a security philosophy

D is correct. Moving data/operations into the cloud does not relieve the customer from legal constraints (and may even increase them). A, B and C are all common benefits of cloud services, and are therefore incorrect answers.

D is the correct answer. This is a description of how SaaS works. A is incorrect; this is not a common cloud service model. B is incorrect; IaaS offers much more than just access to a given application. C is incorrect; PaaS offers much more than just access to a given application.

D is correct. Anyone within the organization can identify risk.

A is correct. Resuming full normal operations too soon after a disaster might mean personnel are put in danger by whatever effects the disaster caused. B and C are incorrect because the feelings of investors and regulators are not the primary concern of DR efforts. D is incorrect; saving money is not a risk, it is a benefit.

B is correct; this is the purpose of anti-malware solutions. A, C and D are incorrect; these solutions are not typically designed to identify and counter malware.

C is correct. A senior manager with the proper authority must initiate the BCP. A is incorrect; this answer has no context—there is no way to know when "as soon as possible" would be. B is incorrect; typically, it is impossible to determine the "beginning" of a disaster. D is incorrect; not all organizations are in regulated industries, and regulators do not supervise disaster response.

C is correct. A laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as they all have the potential to cause adverse impact to the organization and the organization's assets.

D is correct; HTTP is designed for Web browsing. A, B and C are incorrect; these are not protocols designed to handle Web browsing.

D is correct. Business Continuity efforts are about sustaining critical business functions during periods of potential interruption, such as emergencies, incidents, and disasters. A is incorrect; Business Continuity efforts often require significant financial expenditures. B is incorrect; Business Continuity efforts are important regardless of whether customers are impressed. C is incorrect; Business Continuity efforts should focus specifically on critical business functions, not the entire IT environment.

An event is any observable occurrence within the IT environment. (Any observable occurrence in a network or system. (Source: NIST SP 800-61 Rev 2) While an event might be part of an incident, attack, or threat, no other information about the event was given in the question, so B is the correct answer.

The main purpose of configuration management is to ensure that there is uniformity throughout the IT environment, and that only authorized modifications are made. D is the correct answer. A, B and C are incorrect; these may be overall security goals, and configuration management may assist for these purposes, but these are not the main goal of configuration management.

D is the correct answer. Log data can often be useful in diagnosing or investigating the device it was captured from; it is therefore useful to store the data away from the device where it was harvested, in case something happens to the source device. A is incorrect; if something happens to the source machine, the log data may be affected if it is stored on the source. B is incorrect; log data may be stored underground, aboveground, underwater, in the sky, or in orbit, as long as it is stored securely. C is incorrect; airtight seals do not affect log data positively or negatively.

B is correct. Segregation of duties, also called separation of duties, is used to reduce the potential for corruption or fraud within the organization. More than one person must be involved in a given process in order to complete that process. A is incorrect; Trina and the manager are not both required to be present for the transaction. C is incorrect; software is a term used to describe programs and applications. D is incorrect; defense in depth is the use of multiple (and multiple types of) overlapping security controls to protect assets.