PRETEST

1. Each of the steps are part of the penetration testing process, but this step is NOT:
a. Attack and exploit
b. Information gathering
c. Reporting
d. Vulnerability Assessment

This answer is incorrect. The correct answer is 'D' Vulnerability assessments involve
identifying vulnerabilities, categorizing vulnerabilities, and addressing known vulnerabilities.
Mitigating vulnerabilities is part of risk management. (See the following lesson:
Vulnerability Assessments and Penetration Tests)

2. All of these are symmetric key algorithms EXCEPT:

a. RSA
b. 3DES
c. AES
d. RC

This answer is incorrect. The correct answer is 'A' RSA is an asymmetric key algorithm. (See
the following lesson: Cryptographic Algorithms)

3. Monitoring the information system is vital to system security. What is included in the system
monitoring process?
a. Watching security audit logs in real-time
b. Capturing SNMP traffic for system health and status purposes
c. Building a security operations center (SOC) and tasking personnel to monitor security logs
d. Analyzing a variety of audit logs and system messages

This answer is correct. System monitoring is analyzing a variety of audit logs, messages, and
other mechanisms. It's important to collect and analyzed multiple logs and not just security.
(See the following lesson: System Auditing and Monitoring)

4. DNS provides all of the following services EXCEPT:

a. DNS translates network addresses to common words
b. DNS translates an IP address to a MAC address
c. DNS translates an IP address to domain names
d. DNS translates names to IP addresses
Domain Name Services (DNS) translates or resolves network (IP) addresses to a domain names. (See
the following lesson: Network Services Part 1)

5. The purpose of conducting a network security assessment is to:

a. Verify security risks are at an acceptable level
b. Verify all vulnerabilities have been fixed
c. Simulate an attack against the network to verify functionality
d. Ensure the network is working as designed

This answer is incorrect. The correct answer is 'A' Network security assessments (or any
assessments for that matter) are designed to ensure security risks are at an acceptable level.
(See the following lesson: Network Security Assessment)

6. What type of attack uses digital communication messages to collect private or sensitive
information?
a. Phishing
b. Pretexting
c. Vishing
d. Whaling

This answer is incorrect. The correct answer is 'A' Phishing attacks use digital
communication messages to collect private or sensitive information. (See the following
lesson: Common Attacks Against Personnel)

7. To properly maintain a firewall, which of these is LEAST important?

a. The firewall operating system must be kept up to date
b. Review firewall rulesets/ACLs periodically
c. Review firewall audit logs frequently
d. Monitor operational end-of-support/end-of-life of the firewall

This answer is incorrect. The correct answer is 'D' End-of-life/support is important, but
firewalls typically have a lifespan of 5-7 years. All other activities must be done regularly to
ensure proper protection. (See the following lesson: Firewall Technologies)

8. A network security technique of isolating network traffic to specific networks is called:

a. Network Isolation
b. Network Segmentation
c. Network Traffic Control
d. Network Firewall
Network segmentation is the grouping different types of network traffic together and forcing it to
use specific networks. (See the following lesson: Principles of IP Networks)

9. Before selecting security controls, what is the FIRST thing you should do?
a. Know what kind of components needs protection
b. Know what kind of data needs protection
c. Know how to securely configure each component
d. Get stakeholder approval for the security controls

Security control selection all depends on the protection needs for the data. (See the following
lesson: Selecting Security Controls)

10. When a username and password is used for identification and authentication, what factor
authentication is this?
a. Type 4
b. Type 3
c. Type 2
d. Type 1

This answer is correct. Type 1 authentication is something you know, like a username and
password. (See the following lesson: Understanding Identity and Access Management)

11. Data that remains on a storage device even after it has been deleted is called:
a. Data Remanence
b. Wiped Data
c. Lefover Data
d. Deleted Data

This answer is incorrect. The correct answer is 'A' A major security concern is data
remanence, or when data remains on a storage device even after it has been deleted. (See the
following lesson: The Different Types of Data Storage)

12. If the cost of risk mitigation is a factor, what is the BEST approach for making an informed risk
decision?
a. Perform another risk assessment
b. Conduct a Cost/Benefit analysis
c. Accept the risk to avoid spending any more money
d. Meet with system stakeholders for official direction
This answer is incorrect. The correct answer is 'B' A cost/benefit analysis should be used to
make your risk decision if money is a factor. (See the following lesson: Managing Security
Risks)

13. Risk acceptance occurs when an organization:

a. Has reduce risk to an acceptable level
b. Has removed elements of a risk that no longer poses a threat
c. Has acknowledged the consequences of the risk
d. Has chosen not to do anything further with the known risk

14. Which layer of the OSI model is responsible for converting segments into packets?
a. Network Layer
b. Internet Layer
c. Transport Layer
d. Data Link Layer

This answer is incorrect. The correct answer is 'A' The network layer (layer 3) converts
segments from the transport layer. (See the following lesson: TCP/IP And The OSI Model)

15. A collection of system services and resources made available over the internet is called:
a. Web applications
b. A website
c. Virtualization
d. Cloud Computing

This answer is correct. Cloud computing is collection of system services and resources made
available to users over a network (usually the internet). (See the following lesson:
Virtualization and the Cloud)

16. Internet Protocol Security (IPSEC) is designed to:

a. Add encryption to tunneled communications to protect it when using an untrusted network
b. Create a communication tunnel
c. Secure open IP communications
d. Providing IP communications for websites

IPSEC creates a secure tunnel by adding encryption to a VPN in tunnel mode. (See the following
lesson: Remote Access Security)

17. What is NOT a common technique to implement confidentiality in an information system?

a. Identification and Authentication
b. Data encryption
c. Access controls
d. Hashing
e. This answer is incorrect. The correct answer is 'D' Identification and Authentication, data
encryption, and access controls are all ways to implement confidentiality. Hashing
enforces integrity only. (See the following lesson: Confidentiality, Integrity, and
Availability)

18. Data is MOST vulnerable when it is:

a. Stored online
b. At rest
c. In use
d. In transit

This answer is incorrect. The correct answer is 'D' Data that is in transit is when it is most
vulnerable and must be properly protected. (See the following lesson: Protecting Sensitive
Data)

19. Operations and maintenance is important to ensure all of the following, EXCEPT:
a. The system is functioning properly as it was designed
b. The system adds new capabilities to meet organizational needs
c. The system is patched for known flaws and/or vulnerabilities
d. The system maintains a consistent operating baseline

This answer is incorrect. The correct answer is 'B' Adding a new capabilities is part of system
development, not O&M. (See the following lesson: Systems Operations And Maintenance)

20. Which of the following is NOT important when preparing for a security assessment?
a. Ensure all required personnel are available
b. Verify that all system resources and components are ready
c. Identify and prepare what needs to be tested
d. Document all results of the security assessment

This answer is incorrect. The correct answer is 'D' Documenting the results takes place after
the assessment has been conducted. (See the following lesson: Preparing For A Security
Assessment)

21. What is data or information that can uniquely identify a specific individual?
a. PHI
b. PII
c. PPI
d. Confidential
e. This answer is incorrect. The correct answer is 'B' PII is any information that can
uniquely identify a specific individual. (See the following lesson: Protecting Sensitive
Data)

22. Which one of the following is NOT a phase of the SDLC?

a. Compliance
b. Initiation
c. Implementation/Assessment
d. Disposal

This answer is incorrect. The correct answer is 'A' Compliance is not a phase of the System
Development Lifecycle (SDLC). Compliance is done as a part of the
Implementation/Assessment phase. (See the following lesson: Systems Development
Methodologies)

23. What is the BIGGEST risk to information security?

a. Organizational Personnel
b. System Attackers
c. Senior Management
d. New employees

This answer is correct. Personnel are one of the biggest risks to information security. (See the
following lesson: Managing Personnel Security)

24. DevOps is the process of combining system development and operations into a continuous
process. When assessing the security architecture, what is one of the most important parts of
DevOps security?
a. DevOps tools are properly patched and up to date
b. The system is properly supported by DevOps software
c. Security must be integrated into DevOps as part of system and security architecture
d. Products deployed as part of DevOps are properly secured after deployment

This answer is incorrect. The correct answer is 'C' It's very important that security must be
integrated into DevOps as part of system and security architecture. (See the following lesson:
Assessing System Security Architecture)

25. The development environment should be PRIMARILY used to:

a. Operate a system or product
b. Integrate a system or product
c. Test a system or product
d. Build or create a system or product

This answer is incorrect. The correct answer is 'D' The development environment should be
used to build or create a system or product. (See the following lesson: Systems Security
Architecture)

26. All of these are authentication factors EXCEPT:

a. Something you know
b. Something you have
c. Something you prove
d. Something you do

This answer is correct. The authentication factors are: Type 1 authentication is something
you know; Type 2 authentication is something you have; Type 3 authentication is something
you are or do; “Type 4” authentication is somewhere you are. (See the following lesson:
Understanding Identity and Access Management)

27. Least privilege is important to ensure users only have:

a. The privilege levels necessary to perform their tasking
b. The proper access levels to be effective at their jobs
c. The privilege levels necessary to configure the system how they want it
d. Adequate privilege levels to enforce proper security, while providing users flexability

This answer is incorrect. The correct answer is 'A' Least privilege is ensuring users only have
enough privileges necessary to perform their tasking. (See the following lesson: Important
Security Principles)

28. What can be caused as a result of poorly managed user accounts, passwords, and sessions?
a. No authentication
b. Strong authentication
c. Broken authentication
d. Bad authentication

This answer is incorrect. The correct answer is 'C' Broken authentication is a result of poorly
managed user accounts, passwords, and sessions. (See the following lesson: Securing
Software and Applications)

29. The MAIN feature of Discretionary Access Controls (DAC) allows:

a. Subjects are allowed to request access to objects
b. Object access can be controlled based on what roles or groups subjects are a part of
c. Object owners to control access directly to their objects
d. Requires pre-configured determinations for object access by subjects

This answer is incorrect. The correct answer is 'C' DAC allows object owners to control
access directly to their objects. (See the following lesson: Understanding Access Control
Models)

30. What is the term used to describe the permissions or restrictions for an identified and
authenticated user?
a. Authorization
b. Authentication
c. Accounting
d. Access

This answer is correct. Authorization are the permissions or restrictions for an identified and
authenticated user and involves rules or configuration to permit or restrict a user’s access.
(See the following lesson: Understanding Identity and Access Management)
QUIZZ 1
1. Least privilege is important to ensure users only have:
a. The privilege levels necessary to perform their tasking
b. The proper access levels to be effective at their jobs
c. The privilege levels necessary to configure the system how they want it
d. Adequate privilege levels to enforce proper security, while providing users flexability

2. When an organization wants to declare very detailed and short-range security goals and
objectives, this should be documented in a:
a. Operational Plan
b. Operations Guide
c. Security Plan
d. Tactical Plan

3. When performing a cost/benefit analysis, which is NOT a consideration when making a risk
based decision?
a. Performing multiple risk assessments
b. Determining how much information to provide senior management so that they can make
a decision
c. Analyzing risk assessment results over different periods of time
d. Gathering as much detailed data as possible to present to senior management to make a
risk decision

4. Which one of the following is NOT a canon of the COE?

a. Protect society, the common good, necessary public trust and confidence, and the
infrastructure
b. Provide diligent and competent service to principles
c. Act honorably, honestly, justly, responsibly, and legally
d. Always provide the best possible security protection based on your current knowledge
and skill level

5. When deciding to mitigate a security risk, what is the focus of doing this?
a. Deciding to accept the risk because it's nececssary for system operations
b. Eliminating the risk from any further evaluation
c. Reducing the risk to an acceptable level
d. Ignore the risk all together as it will not impact system operations

6. The states of data are comprised of each of these but DOES NOT include this:
a. Data in process
b. Data in use
 c. Data in transit
d. Data at rest

7. How many canons are in the (ISC)2 Code of Ethics (COE)?

a. 4
b. 6
c. 5
d. 3

8. If you cannot determine how much a system asset costs, what is the best approach to perfom a
risk assessment?
a. A hybrid risk assessment
b. A quantitative risk assessment
c. A qualitative risk assessment
d. A qualified risk assessment

9. To discover the potential loss for a single security occurence, the proper formula to use is:
a. AV * EF
b. SLE ARO
c. AV ACS
d. ALE AV

10. High level and long-range security goals should be documented in a:

a. Tactical Plan
b. Risk Management Plan
c. Security Plan
d. Strategic Plan

11. A conceptual formula to calculate a security risk is:

a. Threat Actor + Threats Vulnerabilities
b. AV EF
c. Threats + Attacks
d. Threats * Vulnerabilities

12. What is NOT a common technique to implement confidentiality in an information system?

a. Identification and Authentication
b. Data encryption
c. Access controls
d. Hashing

13. An example of a security standard is:

a. The requirements for security auditing
 b. The requirements for privileged and general users
c. The requirements for access controls
d. The requirements to securely configure a software application

14. An organization conducting an ongoing effort to ensure an organizations assets and/or people
remain protected is called what?
a. Do Correction
b. Due Dilligence
c. Due Care
d. Due Protection

15. As it pertains to information security, availability is important to ensure:

a. The system is available for users
b. Proper security monitoring can be done
c. Data is available for users when they need it
d. You can login to perform security assessments

16. Due care can be explained as:

a. The reasonable effort to protect an asset
b. The reasonable effort to test an asset
c. The required effort to protect an asset
d. The necessary precautions to secure an asset

17. The purpose of a security policy is NOT to:

a. Define how an organization plans on protecting physical assets
b. Define a consistent set of actions required to implement security
c. Define how an organization plans on protecting information system assets
d. Define roles, responsibilities, and duties for security

18. Data is MOST vulnerable when it is:

a. Stored online
b. At rest
c. In use
d. In transit

19. When determining the value of an organizational asset, which is LEAST important
a. The impact to organizational personnel
b. How much money it costs to replace the asset
c. How long it will take to replace the asset
d. How much money it costs to repair the asset
20. Michael is a new security engineer working for a small company. He received notification from a
firewall vendor stating the operating system had a critical vulnerability and a patch update was
available to correct the vulnerability.
a. Download and apply the patch update
b. Contact the network administrator and work with them to apply the patch update
c. Verify the vulnerability affects the operational firewall(s)
d. Follow the established security policy for handling patch updates
QUZZ 2

1. All of these are Asymmetric key algorithms EXCEPT:

a. RSA
b. AES
c. ECC
d. Diffie-Hellman

2. What type of security control is used to address a known risk, vulnerability, or threat that
cannot be mitigated directly
a. Corrective control
b. Compensating control
c. Preventative control
d. Detective control

3. When using SHA to hash an input value, what key size would create the STRONGEST encryption?
a. 128 bits
b. 224 bits
c. 256 bits
d. 512 bits

4. Before selecting security controls, what is the FIRST thing you should do?
a. Know what kind of components needs protection
b. Know what kind of data needs protection
c. Know how to securely configure each component
d. Get stakeholder approval for the security controls

5. Public Key Cryptography (asymmetric) what kind of keys for encryption and decryption?
a. 2 secret keys
b. A secret key and a public key
c. A public and private key
d. A private and a secret key

6. What BEST describes the policies, procedures, safeguards, countermeasures, and other means
used to enforce an organizations security needs?
a. Evaluation Criteria
b. Security Plan
c. Security Requirement
d. Security Control
7. Each of these components are part of SCADA systems EXCEPT:
a. RTU
b. HMI
c. DAS
d. IOT

8. Which of the following does not apply to a hash algorithm?

a. It requires as passphrase or a key
b. It is used to ensure data integrity
c. A hash produces an irreversible output
d. It results in a fixed-length output

9. The 3 main categories of security controls are:

a. Administrative, physical, and technical
b. Administrative, protective, and technical
c. Preventative, Detective, and Corrective
d. Protective, detective, and recovery

10. What kind of system is designed to operate large scale infrastructure or production operations?
a. ICS
b. SCADA
c. DCS
d. BYOD

11. Which security control framework uses risk impact levels, data overlays, and/or priority and
baseline allocation for control selection?
a. ISO 27002
b. CoBIT
c. NIST SP 800-53
d. COSO

12. The information system you are working with is referred to as an closed system. Why is it
important to know the difference between a closed or open system?
a. Closed systems typically use multiple vendors and various system components
b. Open systems typically use industry recognized best practices and standards
c. Closed systems typically create less vulnerabilities due to using open industry standards
d. Closed systems typically create more vulnerabilities due to lack of best practices and
standards

13. DevOps is the process of combining system development and operations into a continuous
process. When assessing the security architecture, what is one of the most important parts of
DevOps security?
 a. DevOps tools are properly patched and up to date
b. The system is properly supported by DevOps software
c. Security must be integrated into DevOps as part of system and security architecture
d. Products deployed as part of DevOps are properly secured after deployment

14. All of these are symmetric key algorithms EXCEPT:

a. RSA
b. 3DES
c. AES
d. RC

15. What is a system that is connected by a network in order to share resources and create a single
integrated system?
a. Client-Server system
b. Distributed system
c. Networked system
d. Cloud based system

16. The purpose of information system architecture is PRIMARILY to define:

a. How security will be implemented
b. Security controls and requirements
c. The purpose of the information system
d. How computing components are designed, constructed, and connected

17. What kind of passive attack focuses on observing how the cryptographic algorithm works?
a. Analytic attack
b. Statistical attack
c. Linear cryptanalysis attack
d. Side-channel attack

18. This framework model is focused on developing a risk driven security architecture
a. SABSA
b. ToGAF
c. DoDAF
d. Zachman

19. AES has 3 different options for creating encryption keys. Which one of these IS NOT an AES key
size?
a. 192 bits
b. 112 bits
c. 256 bits
d. 128 bits
20. This type of attack chooses what ciphertext will be decrypted so that the corresponding
plaintext can be analyzed?
a. Known-ciphertext attack
b. Chosen-ciphertext attack
c. Chosen-plaintext attack
d. Linear cryptanalysis attack
QUIZZ 3
1. This is NOT a Demilitarized Zone (DMZ):
a. A screened subnet
b. A network protected by 2 or more firewalls
c. A zone that's accessible by the public
d. A zone that filters network traffic

2. Each of these are Distributed Denial-of-Service (DDOS) attacks, with exception to this one:
a. SYN Flood Attack
b. Replay Attack
c. Teardrop Attack
d. Smurf Attack

3. Dedicated environmental controls to a computer room to controlling temperature, static

electricity, and humidity is called:
a. CRAC
b. HVAC
c. AC
d. ACS

4. 802.1X is a common form of Network Access Controls (NAC) and is frequently paired with what
to provide the best security?
a. AES
b. EAS
c. EAP
d. ES

5. When an attacker attempts to connect to any wireless network that will permit access, that is
called:
a. War-dialing attack
b. Brute-force attack
c. War driving attack
d. Smurf attack

6. Which of these is NOT an environmental concerns when it comes to facility location and design?
a. Earthquakes
b. Flooding
c. Facility lighting
d. Fire
7. What is the TOP priority within physical security?
a. Personnel safety and security
b. Data safety and security
c. Information system security
d. Information system safety

8. Which layer of the OSI model is responsible for providing Internet access, sending files, and
remote access?
a. Session Layer
b. Internet Layer
c. Application Layer
d. Presentation Layer

9. With wireless networks, it's a good security practices to require guest users to access this FIRST:
a. Guest zone
b. The organizations website
c. Captive portal
d. A guest network

10. What is your question?

a. Yes
b. No

11. All system user accounts must meet all of the following criteria EXCEPT:
a. Default passwords must be changed
b. Have default permissions assigned
c. Require a strong/complex password
d. Be uniquely attributed to the user

12. Uninterruptible Power Supplies (UPS) are used to provide what kind of power to the facility?
a. Continuous power to the facility
b. Backup power in the form of batteries
c. Backup power in the form of generators
d. Technical power that is separate from facility power

13. Network Address Translation (NAT) DOES NOT:

a. Covert public IPv4 addresses into a private IPv4 addresses
b. Convert private IPv4 addresses into a public IPv4 addresses
c. Covert IPv4 addresses into MAC addresses
d. Statically or dynamically covert network addresses
14. When creating network access control lists (ACL), how should the ACLs be designed to
implement the BEST security?
a. Deny traffic by default
b. Deny traffic by exception
c. Permit traffic by exception
d. Permit traffic by default

15. What is a facility or room dedicated to housing information system components to support
continuous operations?
a. Communications room
b. Operations center
c. Data center
d. Equipment room

16. What type attack is focused on denying availability of information system resources?
a. SYN Flood
b. Ping Sweep
c. Denial-of-Service
d. Port Scan

17. When controlling access to a restricted area, proximity badge readers should be installed and
connected to this to provide total security awareness?
a. Audit logs
b. SIEM
c. Access Control System
d. Alarm system

18. When setting up a Class B network, what is the default subnet mask?
a. 255.0.0.0
b. 255.255.0.0
c. 255.255.255.0
d. 255.255.255.255

19. Which layer of the OSI model is responsible for converting segments into packets?
a. Network Layer
b. Internet Layer
c. Transport Layer
d. Data Link Layer

20. What layer of the OSI model specifies electrical, mechanical, and functional requirements of a
network?
a. Session layer
 b. Network layer
c. Physical layer
d. Transport layer

21. A DNS poisoning attack:

a. Alters a victim’s DNS table with incorrect information
b. Alters a victim’s DNS IP address with an incorrect one
c. Alters a victim’s ARP table with incorrect information
d. Sends spoofed TCP SYN packets with the victim's own IP address