Documente Academic
Documente Profesional
Documente Cultură
1. Each of the steps are part of the penetration testing process, but this step is NOT:
a. Attack and exploit
b. Information gathering
c. Reporting
d. Vulnerability Assessment
This answer is incorrect. The correct answer is 'D' Vulnerability assessments involve
identifying vulnerabilities, categorizing vulnerabilities, and addressing known vulnerabilities.
Mitigating vulnerabilities is part of risk management. (See the following lesson:
Vulnerability Assessments and Penetration Tests)
This answer is incorrect. The correct answer is 'A' RSA is an asymmetric key algorithm. (See
the following lesson: Cryptographic Algorithms)
3. Monitoring the information system is vital to system security. What is included in the system
monitoring process?
a. Watching security audit logs in real-time
b. Capturing SNMP traffic for system health and status purposes
c. Building a security operations center (SOC) and tasking personnel to monitor security logs
d. Analyzing a variety of audit logs and system messages
This answer is correct. System monitoring is analyzing a variety of audit logs, messages, and
other mechanisms. It's important to collect and analyzed multiple logs and not just security.
(See the following lesson: System Auditing and Monitoring)
This answer is incorrect. The correct answer is 'A' Network security assessments (or any
assessments for that matter) are designed to ensure security risks are at an acceptable level.
(See the following lesson: Network Security Assessment)
6. What type of attack uses digital communication messages to collect private or sensitive
information?
a. Phishing
b. Pretexting
c. Vishing
d. Whaling
This answer is incorrect. The correct answer is 'A' Phishing attacks use digital
communication messages to collect private or sensitive information. (See the following
lesson: Common Attacks Against Personnel)
This answer is incorrect. The correct answer is 'D' End-of-life/support is important, but
firewalls typically have a lifespan of 5-7 years. All other activities must be done regularly to
ensure proper protection. (See the following lesson: Firewall Technologies)
9. Before selecting security controls, what is the FIRST thing you should do?
a. Know what kind of components needs protection
b. Know what kind of data needs protection
c. Know how to securely configure each component
d. Get stakeholder approval for the security controls
Security control selection all depends on the protection needs for the data. (See the following
lesson: Selecting Security Controls)
10. When a username and password is used for identification and authentication, what factor
authentication is this?
a. Type 4
b. Type 3
c. Type 2
d. Type 1
This answer is correct. Type 1 authentication is something you know, like a username and
password. (See the following lesson: Understanding Identity and Access Management)
11. Data that remains on a storage device even after it has been deleted is called:
a. Data Remanence
b. Wiped Data
c. Lefover Data
d. Deleted Data
This answer is incorrect. The correct answer is 'A' A major security concern is data
remanence, or when data remains on a storage device even after it has been deleted. (See the
following lesson: The Different Types of Data Storage)
12. If the cost of risk mitigation is a factor, what is the BEST approach for making an informed risk
decision?
a. Perform another risk assessment
b. Conduct a Cost/Benefit analysis
c. Accept the risk to avoid spending any more money
d. Meet with system stakeholders for official direction
This answer is incorrect. The correct answer is 'B' A cost/benefit analysis should be used to
make your risk decision if money is a factor. (See the following lesson: Managing Security
Risks)
14. Which layer of the OSI model is responsible for converting segments into packets?
a. Network Layer
b. Internet Layer
c. Transport Layer
d. Data Link Layer
This answer is incorrect. The correct answer is 'A' The network layer (layer 3) converts
segments from the transport layer. (See the following lesson: TCP/IP And The OSI Model)
15. A collection of system services and resources made available over the internet is called:
a. Web applications
b. A website
c. Virtualization
d. Cloud Computing
This answer is correct. Cloud computing is collection of system services and resources made
available to users over a network (usually the internet). (See the following lesson:
Virtualization and the Cloud)
IPSEC creates a secure tunnel by adding encryption to a VPN in tunnel mode. (See the following
lesson: Remote Access Security)
This answer is incorrect. The correct answer is 'D' Data that is in transit is when it is most
vulnerable and must be properly protected. (See the following lesson: Protecting Sensitive
Data)
19. Operations and maintenance is important to ensure all of the following, EXCEPT:
a. The system is functioning properly as it was designed
b. The system adds new capabilities to meet organizational needs
c. The system is patched for known flaws and/or vulnerabilities
d. The system maintains a consistent operating baseline
This answer is incorrect. The correct answer is 'B' Adding a new capabilities is part of system
development, not O&M. (See the following lesson: Systems Operations And Maintenance)
20. Which of the following is NOT important when preparing for a security assessment?
a. Ensure all required personnel are available
b. Verify that all system resources and components are ready
c. Identify and prepare what needs to be tested
d. Document all results of the security assessment
This answer is incorrect. The correct answer is 'D' Documenting the results takes place after
the assessment has been conducted. (See the following lesson: Preparing For A Security
Assessment)
21. What is data or information that can uniquely identify a specific individual?
a. PHI
b. PII
c. PPI
d. Confidential
e. This answer is incorrect. The correct answer is 'B' PII is any information that can
uniquely identify a specific individual. (See the following lesson: Protecting Sensitive
Data)
This answer is incorrect. The correct answer is 'A' Compliance is not a phase of the System
Development Lifecycle (SDLC). Compliance is done as a part of the
Implementation/Assessment phase. (See the following lesson: Systems Development
Methodologies)
This answer is correct. Personnel are one of the biggest risks to information security. (See the
following lesson: Managing Personnel Security)
24. DevOps is the process of combining system development and operations into a continuous
process. When assessing the security architecture, what is one of the most important parts of
DevOps security?
a. DevOps tools are properly patched and up to date
b. The system is properly supported by DevOps software
c. Security must be integrated into DevOps as part of system and security architecture
d. Products deployed as part of DevOps are properly secured after deployment
This answer is incorrect. The correct answer is 'C' It's very important that security must be
integrated into DevOps as part of system and security architecture. (See the following lesson:
Assessing System Security Architecture)
This answer is incorrect. The correct answer is 'D' The development environment should be
used to build or create a system or product. (See the following lesson: Systems Security
Architecture)
This answer is correct. The authentication factors are: Type 1 authentication is something
you know; Type 2 authentication is something you have; Type 3 authentication is something
you are or do; “Type 4” authentication is somewhere you are. (See the following lesson:
Understanding Identity and Access Management)
This answer is incorrect. The correct answer is 'A' Least privilege is ensuring users only have
enough privileges necessary to perform their tasking. (See the following lesson: Important
Security Principles)
28. What can be caused as a result of poorly managed user accounts, passwords, and sessions?
a. No authentication
b. Strong authentication
c. Broken authentication
d. Bad authentication
This answer is incorrect. The correct answer is 'C' Broken authentication is a result of poorly
managed user accounts, passwords, and sessions. (See the following lesson: Securing
Software and Applications)
This answer is incorrect. The correct answer is 'C' DAC allows object owners to control
access directly to their objects. (See the following lesson: Understanding Access Control
Models)
30. What is the term used to describe the permissions or restrictions for an identified and
authenticated user?
a. Authorization
b. Authentication
c. Accounting
d. Access
This answer is correct. Authorization are the permissions or restrictions for an identified and
authenticated user and involves rules or configuration to permit or restrict a user’s access.
(See the following lesson: Understanding Identity and Access Management)
QUIZZ 1
1. Least privilege is important to ensure users only have:
a. The privilege levels necessary to perform their tasking
b. The proper access levels to be effective at their jobs
c. The privilege levels necessary to configure the system how they want it
d. Adequate privilege levels to enforce proper security, while providing users flexability
2. When an organization wants to declare very detailed and short-range security goals and
objectives, this should be documented in a:
a. Operational Plan
b. Operations Guide
c. Security Plan
d. Tactical Plan
3. When performing a cost/benefit analysis, which is NOT a consideration when making a risk
based decision?
a. Performing multiple risk assessments
b. Determining how much information to provide senior management so that they can make
a decision
c. Analyzing risk assessment results over different periods of time
d. Gathering as much detailed data as possible to present to senior management to make a
risk decision
5. When deciding to mitigate a security risk, what is the focus of doing this?
a. Deciding to accept the risk because it's nececssary for system operations
b. Eliminating the risk from any further evaluation
c. Reducing the risk to an acceptable level
d. Ignore the risk all together as it will not impact system operations
6. The states of data are comprised of each of these but DOES NOT include this:
a. Data in process
b. Data in use
c. Data in transit
d. Data at rest
8. If you cannot determine how much a system asset costs, what is the best approach to perfom a
risk assessment?
a. A hybrid risk assessment
b. A quantitative risk assessment
c. A qualitative risk assessment
d. A qualified risk assessment
9. To discover the potential loss for a single security occurence, the proper formula to use is:
a. AV * EF
b. SLE ARO
c. AV ACS
d. ALE AV
14. An organization conducting an ongoing effort to ensure an organizations assets and/or people
remain protected is called what?
a. Do Correction
b. Due Dilligence
c. Due Care
d. Due Protection
19. When determining the value of an organizational asset, which is LEAST important
a. The impact to organizational personnel
b. How much money it costs to replace the asset
c. How long it will take to replace the asset
d. How much money it costs to repair the asset
20. Michael is a new security engineer working for a small company. He received notification from a
firewall vendor stating the operating system had a critical vulnerability and a patch update was
available to correct the vulnerability.
a. Download and apply the patch update
b. Contact the network administrator and work with them to apply the patch update
c. Verify the vulnerability affects the operational firewall(s)
d. Follow the established security policy for handling patch updates
QUZZ 2
2. What type of security control is used to address a known risk, vulnerability, or threat that
cannot be mitigated directly
a. Corrective control
b. Compensating control
c. Preventative control
d. Detective control
3. When using SHA to hash an input value, what key size would create the STRONGEST encryption?
a. 128 bits
b. 224 bits
c. 256 bits
d. 512 bits
4. Before selecting security controls, what is the FIRST thing you should do?
a. Know what kind of components needs protection
b. Know what kind of data needs protection
c. Know how to securely configure each component
d. Get stakeholder approval for the security controls
5. Public Key Cryptography (asymmetric) what kind of keys for encryption and decryption?
a. 2 secret keys
b. A secret key and a public key
c. A public and private key
d. A private and a secret key
6. What BEST describes the policies, procedures, safeguards, countermeasures, and other means
used to enforce an organizations security needs?
a. Evaluation Criteria
b. Security Plan
c. Security Requirement
d. Security Control
7. Each of these components are part of SCADA systems EXCEPT:
a. RTU
b. HMI
c. DAS
d. IOT
10. What kind of system is designed to operate large scale infrastructure or production operations?
a. ICS
b. SCADA
c. DCS
d. BYOD
11. Which security control framework uses risk impact levels, data overlays, and/or priority and
baseline allocation for control selection?
a. ISO 27002
b. CoBIT
c. NIST SP 800-53
d. COSO
12. The information system you are working with is referred to as an closed system. Why is it
important to know the difference between a closed or open system?
a. Closed systems typically use multiple vendors and various system components
b. Open systems typically use industry recognized best practices and standards
c. Closed systems typically create less vulnerabilities due to using open industry standards
d. Closed systems typically create more vulnerabilities due to lack of best practices and
standards
13. DevOps is the process of combining system development and operations into a continuous
process. When assessing the security architecture, what is one of the most important parts of
DevOps security?
a. DevOps tools are properly patched and up to date
b. The system is properly supported by DevOps software
c. Security must be integrated into DevOps as part of system and security architecture
d. Products deployed as part of DevOps are properly secured after deployment
15. What is a system that is connected by a network in order to share resources and create a single
integrated system?
a. Client-Server system
b. Distributed system
c. Networked system
d. Cloud based system
17. What kind of passive attack focuses on observing how the cryptographic algorithm works?
a. Analytic attack
b. Statistical attack
c. Linear cryptanalysis attack
d. Side-channel attack
18. This framework model is focused on developing a risk driven security architecture
a. SABSA
b. ToGAF
c. DoDAF
d. Zachman
19. AES has 3 different options for creating encryption keys. Which one of these IS NOT an AES key
size?
a. 192 bits
b. 112 bits
c. 256 bits
d. 128 bits
20. This type of attack chooses what ciphertext will be decrypted so that the corresponding
plaintext can be analyzed?
a. Known-ciphertext attack
b. Chosen-ciphertext attack
c. Chosen-plaintext attack
d. Linear cryptanalysis attack
QUIZZ 3
1. This is NOT a Demilitarized Zone (DMZ):
a. A screened subnet
b. A network protected by 2 or more firewalls
c. A zone that's accessible by the public
d. A zone that filters network traffic
2. Each of these are Distributed Denial-of-Service (DDOS) attacks, with exception to this one:
a. SYN Flood Attack
b. Replay Attack
c. Teardrop Attack
d. Smurf Attack
4. 802.1X is a common form of Network Access Controls (NAC) and is frequently paired with what
to provide the best security?
a. AES
b. EAS
c. EAP
d. ES
5. When an attacker attempts to connect to any wireless network that will permit access, that is
called:
a. War-dialing attack
b. Brute-force attack
c. War driving attack
d. Smurf attack
6. Which of these is NOT an environmental concerns when it comes to facility location and design?
a. Earthquakes
b. Flooding
c. Facility lighting
d. Fire
7. What is the TOP priority within physical security?
a. Personnel safety and security
b. Data safety and security
c. Information system security
d. Information system safety
8. Which layer of the OSI model is responsible for providing Internet access, sending files, and
remote access?
a. Session Layer
b. Internet Layer
c. Application Layer
d. Presentation Layer
9. With wireless networks, it's a good security practices to require guest users to access this FIRST:
a. Guest zone
b. The organizations website
c. Captive portal
d. A guest network
11. All system user accounts must meet all of the following criteria EXCEPT:
a. Default passwords must be changed
b. Have default permissions assigned
c. Require a strong/complex password
d. Be uniquely attributed to the user
12. Uninterruptible Power Supplies (UPS) are used to provide what kind of power to the facility?
a. Continuous power to the facility
b. Backup power in the form of batteries
c. Backup power in the form of generators
d. Technical power that is separate from facility power
15. What is a facility or room dedicated to housing information system components to support
continuous operations?
a. Communications room
b. Operations center
c. Data center
d. Equipment room
16. What type attack is focused on denying availability of information system resources?
a. SYN Flood
b. Ping Sweep
c. Denial-of-Service
d. Port Scan
17. When controlling access to a restricted area, proximity badge readers should be installed and
connected to this to provide total security awareness?
a. Audit logs
b. SIEM
c. Access Control System
d. Alarm system
18. When setting up a Class B network, what is the default subnet mask?
a. 255.0.0.0
b. 255.255.0.0
c. 255.255.255.0
d. 255.255.255.255
19. Which layer of the OSI model is responsible for converting segments into packets?
a. Network Layer
b. Internet Layer
c. Transport Layer
d. Data Link Layer
20. What layer of the OSI model specifies electrical, mechanical, and functional requirements of a
network?
a. Session layer
b. Network layer
c. Physical layer
d. Transport layer