Phase 1

Governance No. of Hours

Risk Management 1 Hour
Risk Management Framework 2 Hours
Policy Development 1 Hour
IT Security Governance 1 Hour
IT Governance and Management 1 Hour
Organizational Data Security Fundamentals 1 Hour
Access Control and Identity Management 2 Hours
Asset Security 1 Hour
Protection of Information Assets 1 Hour
Incident Management 1 Hour
Business Continuity and Disaster Recovery Planning 1 Hour

Technical No. of Hours

Open Systems Interconnection Model 1 Hour
TCP/IP 1 Hour
Network Fundamentals 1 Hour
Fundamental System Security 2 Hours
Communication and Network Security 1 Hour
Network Devices 1 Hour
IDS/IPS 1 Hour
CompTIA Network+ (Micro certification not 11 Hours
available)

End User No. of Hours

End User Fundamentals 1 Hour
End User Security Fundamentals 1 Hour
End User Email 2 Hours
End User PII 1 Hour
End User Physical Security 1 Hour
End user Network Security 1 Hour
End User: Cyber Fundamentals 1 Hour

1
Risk Management
1. Information security baselines for information assets vary depending on which of the Following?
a. Availability and reliability
b. Sensitivity and criticality
c. Integrity and accountability
d. Assurance and nonrepudiation

2. What is the appropriate response when the value of the resource is less than the cost of the
countermeasure?
a. Risk rejection
b. Risk acceptance
c. Risk transference
d. Risk mitigation

3. What are the three fundamental principles of security?

a. Accountability, confidentiality, and integrity
b. Integrity, availability, and accountability
c. Confidentiality, integrity, and availability
d. Availability, accountability, and confidentiality

4. What does is a management control implemented to mitigate risks?

a. RAID
b. Encryption
c. Policies
d. Physical Security
5. A company is trying to limit the risk associated with the use of unapproved USB devices to copy
documents. Which of the following would be the BEST technology control to use in this scenario?
a. Content filtering
b. IDS
c. Audit logs
d. Group Policy

6. Which of the following is out of place?

a. High, medium, low rankings
b. Subjective intuition
c. Objective opinions
d. Quantitative value

7. What two elements make up the risk loss potential?

a. Threat and analysis
b. Probability and Impact
c. Resources and Elements
d. Funding and support

8. Who is ULTIMATELY responsible for ensuring that the organizations risks are managed and that
resources are utilized effectively?
a. The IT Staff
b. Users
c. Senior Management
d. Everyone

2
9. Is Risk Management a project?
a. Yes, it is an ongoing and repetitive amount of work that is never complete
b. No, it is not limited by time
c. Yes, it is large in nature and scope and is constrained by time, scope and cost
d. No, it has relative short-term focus on the immediate threats to the organization

10. Which is more objective and number-based in nature?

a. Risk acceptance levels
b. Risk Tolerance
c. Quantitative Analysis
d. Secondary Risk

11. In order to mitigate security risks, we implement

a. Budget
b. Controls
c. Risk rejection
d. Risk elimination

12. Which of the following is BEST suited for the review of IT risk analysis results before the results are
sent to management for approval and use in decision making?
a. An internal audit review
b. A peer review
c. A compliance review
d. A risk policy review

13. Prior to releasing an operating system security patch into production, a best practice is to have the
patch:
a. applied simultaneously to all systems.
b. procured from an approved vendor.
c. tested in a pre-production test environment.
d. approved by business stakeholders.

14. Based on the following: •A warehouse is worth $1,000,000, which includes the structure and its
contents. If a fire were to occur, it is expected that 40% of the warehouse would be damaged. The
annual risk of fire 8% A fire prevention countermeasure will cost $5,000 per year. This
countermeasure will reduce the damage to the warehouse from 40% to 15%. How much money is
the countermeasure worth annually?
a. $5,000
b. $27,000
c. $15,000
d. $20,000
e. $150,000

15. The likelihood that an attack will be successful is based on the

a. Skill and Motivation on the attacker
b. How much money the target organization spent on security
c. Whether or not the organization did a risk analysis
d. 0

3
16. Which of the following would be the best mitigation strategy to limit the success of spoofed
messages?
a. Implement and require the use of hashing
b. Implement a security awareness program focusing on social engineering
c. Implement the use of digital signatures
d. Implement Message Authentication Codes

17. When would it be appropriate to accept a risk?

a. When the potential for loss is equal to the cost of the control
b. When the potential for loss is less than or equal to the cost of the control
c. When the potential for loss is less than the cost of the control
d. When the potential for loss is greater than the cost of the control
e. When the potential for loss is greater than or equal to the cost of the control

18. Risk appetite should be aligned with business objectives to ensure that:
a. resources are directed toward areas of low risk tolerance.
b. major risk is identified and eliminated.
c. IT and business goals are aligned.
d. the risk strategy is adequately communicated.

19. Which group represents the greatest potential for harm to an organization?
a. Hackers
b. Customers
c. Vendors
d. Employees

20. Which of the following should be of MOST concern to a risk analyst?

a. Failure to notify the public of an intrusion
b. Failure to notify the police of an attempted intrusion
c. Failure to examine access rights periodically
d. Failure to internally report a successful attack

21. In order to ensure the risk management strategy is in alignment with business objectives, which of
the following is true
a. The IT staff should be solely responsible for development of strategy
b. Senior management should be involved heavily in the strategy development
c. Strategy is developed by the end-users as they are most knowledgeable about the
organization
d. Strategy is developed after policy is written

22. The PRIMARY benefit of using a maturity model to assess the enterprise’s data management
process is that it:
a. can be used for benchmarking
b. helps identify gaps in security controls
c. provides goals and objectives
d. enforces continuous improvement
23. What type of analysis determines the amount to be spent on a countermeasure?
a. Delphi
b. Qualitative
c. Quantitative
d. Risk-based
e. Cost-benefit Analysis

4
24. An accountant has been embezzling money from the organization while responsible for payroll.
Which of the following is the best example of risk ACCEPTANCE (Not what SHOULD you do, but if
you accepted the risk, what would you do?)
a. Fire the employee
b. Work out a payment plan for the employee to pay back the money
c. Do nothing
d. Hire another accountant to do payroll

25. Which one of the following statements describes management controls for implementing a
security policy?
a. They prevent users from accessing any control function.
b. They eliminate the need for most auditing functions.
c. They may be administrative, physical, or technical.
d. They are generally inexpensive to implement.

26. Based on the following: A warehouse is worth $1,000,000, which includes the structure and its
contents. If a fire were to occur, it is expected that 40% of the warehouse would be damaged. The
annual risk of fire 8% What is the Exposure Factor?
a. 40%
b. 8%
c. $1,000,000
d. $400,000

27. A threat to confidentiality of data is

a. Spoofing
b. Sniffing
c. DDoS
d. Flooding

28. It is MOST important that risk appetite be aligned with business objectives to ensure that:
a. resources are directed toward areas of greatest concern to the business.
b. major risk is identified and eliminated
c. So that the IT department can have all the funding it requests
d. 0

29. Which of the following statements BEST describes the VALUE of a risk register?
a. It captures the risk inventory.
b. It is used to record costs associated with risks
c. It is a management tool that helps the risk team develop an appropriate risk response plan.
d. It lists internal risk and external risk.

30. A company is trying to limit the risk associated with the use of unapproved USB devices to copy
documents. Which of the following would be the BEST technology control to use in this scenario?
a. Content filtering
b. IDS
c. Audit logs
d. Group Policy

5
31. Utilizing a cloud service provider for business continuity is:
a. Risk Reduction
b. Mitigation
c. Transference
d. Acceptance

32. The goal of IT risk analysis is to:

a. Eliminate all risks
b. Determine the potential for loss, so that we are able to prioritize risk responses.
c. Make it easier to write policy.
d. 0

33. Which of the following is not part of risk analysis?

a. Assets
b. Threats
c. Vulnerabilities
d. Countermeasures

34. Management process is that it:

a. can be used for benchmarking.
b. Evaluates the maturity of an organizations processes to assist in working towards
improvement.
c. provides goals and objectives.
d. enforces continuous improvement.
35. An organizational risk management strategy should focus on how to ___________
a. Eliminate Risks
b. Identify Risks
c. Reduce Risk to an acceptable level
d. Transfer risks

36. Despite a comprehensive security awareness program annually undertaken and assessed for all
staff and contractors, an enterprise has experienced a breach through a spear phishing attack.
What is the MOST effective way to improve security awareness?
a. Review the security awareness program and improve coverage of social engineering threats.
b. Launch a disciplinary process against the people who leaked the information.
c. Perform a periodic social engineering test against all staff and communicate summary
results to the staff.
d. Implement a data loss prevention system that automatically points users to corporate
policies.

37. The preparation of a risk register begins in which risk management task?
a. Risk response planning
b. Risk monitoring and control
c. Risk management planning
d. Risk identification

38. What keeps the organization moving forward in the event that risks are greater than anticipated,
risks are unidentified, or if residual risks are greater than expected?
a. Experience of senior management
b. Ability of IT manager to think quickly and resolve problems effectively
c. Business Continuity and Disaster Recovery Planning
d. Risk Meetings

6
39. Which of the following is MOST important for measuring the effectiveness of a security awareness
program?
a. A quantitative evaluation to ensure user comprehension
b. A reduced number of security violation reports
c. Increased interest in focus groups on security issues
d. An increased number of security violation reports

40. Which business principle is present in risk acceptance, but not risk rejection?
a. Due Diligence
b. Due Care
c. Culpable Negligence
d. Liability

7
Risk Management Framework
1. Which is an example of a technical control?
a. CCTV
b. Access control list
c. Policy
d. IT training

2. Which methods does NIST SP 800-37 propose for assessing security controls?
a. Observe, Objectify, Measure
b. Interview, Examine, Test
c. Examine, Analysis, Report
d. Inspect, Audit, Analyse

3. Which information is evaluated for a system to determine the appropriate security controls?
a. Value to the organization
b. Magnitude of harm occurring from loss of confidentiality, integrity, and availability
c. The probability that this risk might occur
d. All of the above

4. Which phases of the RMF utilize the System Security Plan?

a. System Categorization
b. Select Security Controls
c. Implement Controls
d. All of the above

5. How is a moderate impact system defined when considering system categorization?

a. Compromise of all security objectives would have a moderate impact
b. Compromise of any security objective would have a moderate impact
c. Compromise of any security objective would have at least a moderate impact and the other
two are no higher than moderate
d. Compromise of one security object would have a moderate impact, and the other two are
no higher than moderate

6. Which term is defined as: Management, operational, and technical safeguards or countermeasures
employed within an organizational information system to protect the confidentiality, integrity, and
availability of the system and its information?
a. Security baselines
b. Guidelines
c. Security controls
d. Best practices
7. Which document provides input into the Select Security Controls step?
a. Minimum Security Baseline (MSB)
b. Results from penetration tests
c. System Security Plan (SSP)
d. Security Assessment Report (SAR)
8. Which is an example of a management control?
a. CCTV
b. Access control list
c. Policy
d. IT training

8
9. Who is responsible for system categorization?
a. Information System Owner
b. Authorizing Official
c. Designated Approving Authority
d. The IT staff

10. What are the risk factors identified in NIST SP 800-30 rev 1?
a. Threats, impacts, vulnerabilities, and likelihood
b. Damage, frequency, asset valuation, and annual loss expectancy
c. Analysis, assessment, valuation, and mitigation
d. Assets, vulnerabilities, valuation, and potential

11. What is level of quantitative risk exceeds the threat of critical functionality to a system?
a. Moderate
b. Medium
c. Low
d. High

12. What is the correct order of the RMF steps?

a. Categorize, Perform Risk Analysis, Select Controls, Implement Security Controls, Test
Security Controls
b. Perform Risk Analysis, Select Controls, Implement Controls, Monitor Controls
c. Categorize, Select Controls, Implement Controls, Assess Control, Certify System, Authorize
System, Accredit System
d. Categorize, Select Controls, Implement Controls, Assess Controls, Authorize System,
Monitor Controls

13. Which is an example of an operational control?

a. Auditing
b. Encryption
c. Policy
d. Firewalls

14. What should the Information System Owner do to determine the appropriate security control for a
system?
a. Select the initial security control baseline based on the system categorization
b. Tailor and supplement the security controls based on a risk assessment
c. Document the results in the System Security Plan
d. All of the above

15. Which term indicates the overall impact level of an information system with regard to security
objectives?
a. Least common denominator
b. Least privilege
c. High water mark
d. Lowest Security Standard

9
16. What is the significance of FISMA?
a. Assigned NIST the responsibilities for standards and guidelines to categorize information
and information systems and their corresponding security requirements
b. Specified the Secure Systems Engineering processes and describes each step of the Secure
System Development Lifecycle
c. Provided a list of approved algorithms to be used to protect each classification of data from
SBU through Top Secret
d. Provides the process of Certification and accreditation for all federal systems

17. Which NIST Special Publication describes the Risk Management Framework?
a. 800-53a
b. 800-171
c. 800-37 rev1
d. 800-30

18. What are the security objectives specified in FISMA for information and information systems?
a. Confidentiality, Integrity, and Authenticity
b. Confidentiality Integrity and Availability
c. Confidentiality, Integrity and Authorization
d. Confidentiality, Integrity and Non-repudiation

19. What is the purpose of a Plan of Action & Milestones Document?

a. A corrective action plan for tracking and planning the resolution of information security
weaknesses
b. A plan to respond to anticipated information performance weaknesses
c. A management tool for documentation of security vulnerabilities
d. An action plan for proactive means of addressing issues affecting system performance

20. What is the purpose of the System Security Plan?

a. Summarize security requirements
b. Present proposed controls
c. Document findings of risk mitigation strategy
d. Provide the course of action for systems that do not meet security requirements

21. What is the purpose of ISCM?

a. Provides ongoing awareness of information security, vulnerabilities, and threats to support
organizational risk management decisions
b. Provides a plan of corrective action for vulnerabilities
c. Provides a strategy for assessing a system
d. Provides the documentation necessary to authorize a system

22. How many phases does the RMF contain?

a. 3
b. 4
c. 5
d. 6

23. Which activities occur in phase two of the RMF?

a. Update SSP and determine monitoring strategy
b. System categorization and testing
c. Select security controls and testing
d. System categorization and update SSP

10
24. Which documents should be used to categorize information systems?
a. FIPS 199 and NIST SP 800-60
b. FIPS 140 and FIPS 200
c. NIST SP 800-60 and NIST SP 800-171
d. NIST SP 800-37a and NIST SP 800-70

25. Which RMF step includes the determination of the minimum security baseline?
a. Initiation
b. Planning
c. System Categorization
d. Select Controls

26. Which phase of the RMF includes completing the System Security Plan?
a. Initiation
b. Categorization
c. Selection
d. Implementation

27. Which type of risk analysis provides objective numeric information as an input to a Business
Impact Analysis?
a. Qualitative
b. Quantitative
c. FRAP
d. Estimation

28. What is the term for confidence in security controls implemented within an information system are
effective in their application?
a. Trust
b. Functionality
c. Assurance
d. Assessment

29. Which step of RMF includes creating a System Security Plan?

a. Initiation
b. System Categorization
c. Assessment
d. Select Security Controls

30. Which document provides an overview of security requirements, agreed-upon security controls,
and any supporting security-related documents such as risk assessment?
a. Authorization Decision Document
b. SAR
c. SSP
d. POA&M

31. Which type of security control is a management, operational, or technical safeguard or

countermeasure employed by an organization in lieu of a recommended security control?
a. Fallback plan
b. Work around
c. Compensating control
d. Recovery control

11
32. Who prepares the System Security Plan?
a. Authorizing Official
b. Information System Owner
c. Information Security Officer
d. Customer

33. Which term defines the least possible security controls for a system?
a. Hardened system
b. Minimum security baseline
c. System security guidelines
d. Access control guidelines

34. Which document is defined by DoD 8510.01 as being used: To assist agencies in identifying,
assessing, prioritizing, and monitoring security weaknesses found in programs and systems, along
with the process of corrective efforts for those vulnerabilities?
a. Security Assessment Report (SAR)
b. System Security Plan (SSP)
c. Plan of Action and Milestones (POA&M)
d. Security Controls Assessment (SCA)

35. Who prepares the Security Assessment Report (SAR)?

a. SCA
b. Designated Approving Authority
c. Authorizing Official
d. Information System Owner

12
Policy Development
1. Which is the best definition of a gap analysis?
a. Variance analysis in relation to desired performance
b. A management tool to examine risk responses vs. expected results
c. A means of examining current state vs. desired state and how to achieve desired state
d. A function of the audit team to determine if best practice are being followed

2. Which is likely to change most frequently?

a. Policy
b. Standards
c. 0
d. 0

3. What would be an indication that training is effective?

a. Employees no longer report security violations
b. Reports of security violations increase
c. Security violations are totally eliminated
d. Employees constantly call the security team to determine if actions are allowed or
disallowed

4. How often should corporate policies be reviewed?

a. Annually
b. Twice a year
c. Once every five years
d. Annually or in the event of a major change

5. What is the name for step-by-step instructions for how to carry out a task?
a. Policy
b. Procedure
c. Standard
d. Guideline

6. What is the most important reason for policies?

a. Support for the objectives of the business
b. To enforce the maximum amount of security
c. To ensure employees have a workplace free of distraction
d. To ensure company resources are used appropriately

7. What must proceed policy development?

a. Creation of standards
b. Completion of IT budget
c. Risk Management
d. Assessment of employee approval

8. Which legislation is an important element for an employee who processes medical information?
a. Graham Leach Bliley Act
b. Sarbanes Oxley
c. Basel II
d. HIPAA

13
9. Why should senior management be involved in the creation of a security strategy?
a. To ensure alignment with organizational objectives
b. To inspire confidence in their customers
c. To demonstrate due diligence
d. To avoid legal non-compliance

10. What does an AH (Authentication Header) use to provide non-repudiation of a source address?
a. integrity check value
b. Security lock
c. Encryption
d. IKE

11. Which regulation requires corporate accountability in order to prevent internal fraud?
a. Graham Leach Bliley Act
b. Sarbanes Oxley
c. Basel II
d. HIPAA

12. Management requires that each employee maintain a workspace devoid of sensitive information,
except when directly working with such information. Which document type would mandate this?
a. Policies
b. Procedures
c. Standards
d. Guidelines

13. What is the most significant driver for the development of policy?
a. Laws and regulations
b. Budget
c. Timeline
d. Company Culture

14. A banks totals have been off by several hundred dollars each of the last six weeks. Which policy
might the bank manager implement to determine if one particular person is responsible for the loss?
a. Acceptable use policy
b. Data retention policy
c. Mandatory vacations policy
d. Privacy policy

15. What is a procedure?

a. A suggestion
b. Step-by-step instructions
c. Optional
d. Defined by executive management

16. While policy states that all data should be encrypted, which document is likely to specify the type
of encryption to use?
a. Policy
b. Procedure
c. Standard
d. Guideline

14
17. If the organization has a group of Linux systems, a group of Microsoft systems, and a group of
Apple systems being used by employees, how many baseline images should the organization have?
a. 1
b. 2
c. 3
d. 4

18. Which document defines "Should" as opposed to "shall"?

a. Policy
b. Procedure
c. Standard
d. Guideline

19. An organization provides its sales team with cellular phones. Employees have been advised that
the phones are theirs to keep. They can trade them in, sell them, and keep them after termination.
However, they are also instructed that they are accountable for being contacted 24 hours a day.
Which policy would define these requirements?
a. Data ownership
b. Resource ownership
c. Separation of duties
d. Employee termination

20. To whom should policy apply?

a. Everyone
b. All employees below senior management
c. The IT department
d. Computer users

21. Which document describes senior managements commitment to security, financial support, and
other resources?
a. Policy
b. Procedure
c. Standard
d. Guideline

22. What do baseline security settings typically include?

a. Disable auditing
b. Turn off password policy
c. Increase the attack surface
d. Disable unnecessary services

23. In order to conduct a gap analysis, what is evaluated first?

a. Impact of non-compliance
b. Credentials of auditors
c. Employee buy-in
d. Current state vs. desired state

24. What is the best way to ensure policies are effective?

a. Employee support
b. Senior managements support and enforcement
c. Single layered implementation
d. Employee Training

15
25. An employee has been subjected to a social engineering test and was persuaded to give their
password to a stranger. How should this situation be handled in a low-medium security
environment?
a. Termination of the employee
b. Re-training of the employee
c. Termination of the person conducting the social engineering test as they should never
attempted to get an employees password
d. No action should be taken

26. Should employees have an expectation of privacy in the workplace?

a. Yes
b. No
c. 0
d. 0
27. An important element for training medical providers within the context of HIPAA, is to ensure a
clear ____policy is in place, and employees are well-traine
a. Data ownership
b. Computer ownership
c. Acceptable use
d. Cross-training

28. What are the repercussions if policy is not applied correctly and universally?
a. Employee lawsuits
b. Invasion of employee privacy
c. Disgruntled employees
d. All of the above

29. For an employer to infringe upon an employees privacy, what should the employer do?
a. Be stealthy as to avoid detection by the employee
b. Make sure they document what they find
c. Try to evaluate as much information as possible, so as to draw a better conclusion
d. Notify the employee

30. Password parameters of at least 8 characters include alpha-numeric and special characters . Is an
example of what kind of control mechanism?
a. Standard
b. Policy
c. Procedure
d. Guideline

31. You have been hired as an Information Security Officer and have been asked to review existing
policy to determine how to become compliant with new regulations. What should you do?
a. Gap analysis
b. Contact your legislator to determine changes in the regulations
c. Rewrite policy from scratch to ensure compliance
d. Delegate the task, as it is not your responsibility as an ISO

32. What is the best practice for effective training?

a. Train based on skill level of employees
b. Conduct the same training for all employees
c. Only train employees as required by regulation
d. Test employees after training class

16
33. Is it ok for an employee to browse social media while on the clock (not at break or at lunch)?
a. Yes, as long as the employee gets their work done
b. No, it is unethical to use company time for browsing
c. Policy should specify whether or not this is ok
d. It is up to the employees discretion

34. Which document is used to define the specifics of policy?

a. Policies
b. Standards
c. Procedures
d. Baselines

35. If senior management writes policy, who is best suited to write procedures?
a. Senior management
b. Functional management
c. IT department
d. End users

36. What is culpable negligence based on?

a. Due diligence
b. Due Care
c. Risk management
d. Employee action

37. What is the purpose of a standard?

a. To provide implementation instructions
b. To explain the specifics of policy
c. To provide suggestions
d. To detail best practices

38. Which type of policy would dictate how employees can use company resources?
a. Computer use policy
b. Data use policy
c. Acceptable use policy
d. Separation of duties policy

39. Which of the following is not a characteristic of a security policy?

a. High level statement from management
b. Specific, approved technologies
c. Should include managements commitment to support the security function
d. Should include a business case for security

40. Which policy is designed so that no single employee can perform a sensitive activity on their own?
a. Job rotation
b. Privilege escalation
c. Mandatory vacations
d. Dual Control

17
IT Security Governance
1. What is the annual amount of threats compromising vulnerabilities?
a. ARO
b. ALE
c. SLE
d. MTTR

2. If I was to check my social media , using a company computer. That may be in violation of ?
a. Mandatory Vacation
b. Security Policy
c. Acceptable Use Policy
d. Privacy Policy

3. What type of analysis calculates risk based on numeric values?

a. Qualitative Analysis
b. Quantitative Analysis
c. Vulnerability Analysis
d. Risk Assessment

4. When presenting our evidence in the court of law, who is best to have as an expert witness?
a. CEO
b. IT Staff
c. Forensic Expert
d. Security Guard

5. What are controls that discourage potential attackers?

a. Deterrent Controls
b. Preventive Controls
c. Detective Controls
d. Compensating Controls

6. What is an example of cloud computing?

a. Infrastructure as a service
b. Platform as a service
c. Software as a service
d. All of the Above

7. When using social media and applications we have to make sure there is no breach of ?
a. Confidentiality
b. Integrity
c. Availability
d. All of the Above

8. What is the measure of the down time that we expect a system device to be down?
a. MTTR
b. MTBF
c. ALE
d. SLE

18
9. Backing out of setting up HQ in an area that is prone to natural disasters would be an example of ?
a. Risk Assessment
b. Risk Avoidance
c. Risk Transfer
d. Risk Mitigation

10. What happens when you accept the responsibility of the risk. After not wanting to put any
additional money into the risk to deter it?
a. Risk Avoidance
b. Risk Mitigation
c. Risk Acceptance
d. Risk Transfer

11. An agreement between 2 entities in regards to the level of service being delivered?
a. Interoperability agreement
b. Service Level Agreement
c. Social Media Agreement
d. Business Partner Agreement

12. If not performed correctly, what would allow smaller incidents to build over time and become
catastrophic?
a. Change Management
b. User Right and Permission Review
c. Incident Management
d. Technical controls

13. What is defined as the absence or weakness of control?

a. Vulnerability
b. Threat
c. Risk
d. None of the Above

14. What is a decommissioned virtual computer that is still on the network, but no longer receiving
updates?
a. Virtual OM
b. Old Computer
c. Orphan VM
d. None of the Above

15. What should you be performing routine audits on?

a. Users
b. Infrastructure
c. Controls
d. All of the Above

16. What is good policy in place to help deter from fraudulent activities taking place?
a. Acceptable Use Policy
b. Mandatory Vacation
c. Security Policy
d. Privacy Policy

19
17. What type of control uses passwords and encryption?
a. Technical
b. Management
c. Operational
d. All of the Above

18. What ensures that all changes carried out in the enterprise are properly reviewed?
a. Incident Management
b. Change Management
c. User Right and Permission Review
d. Memorandum of Agreement

19. What are controls that avoid the incident from occurring?
a. Deterrent Controls
b. Preventive Controls
c. Detective Controls
d. Compensating Controls

20. What allows for multiple people to learn multiple duties so that a vacuum is not created by the
loss of a person?
a. Acceptable Use Policy
b. Privacy Policy
c. Security Policy
d. Job Rotation

21. What will give you an amount caused by the incident?

a. Checking bank statements
b. Checking hours down
c. Tracking man hours and expenses used to collect the evidence
d. None of the Above

22. When you have the evidence, what should you do?
a. Nothing, work with the evidence you have
b. Capture a system image
c. Transfer everything to a hard drive
d. Make multiple DVD-ROM copies of all files, folders. Etc

23. How do you mitigate risk?

a. You put controls in place
b. You purchase insurance
c. You deter risks
d. You accept risks

24. What is an example of a vulnerability?

a. Not patching the system
b. Leaving work without logging out of the system
c. Leaving your desk without locking the screen
d. All of the Above

20
25. What happens when our security system does not report a problem when there is actually a
problem happening?
a. double positive
b. false negative
c. false positive
d. double negative

26. When collected evidence you need to capture in order of volatility. Out of the following, which
should be collected first?
a. Registers, Cache,RAM
b. Network Caches, Virtual Memory
c. Hard drives, Flash Drives
d. CD-Rom , DVD-Rom

27. What defeats separation of duties?

a. Collusion
b. Collision
c. Mandatory Vacation
d. Management

28. What is defined as employees being allowed the exact amount of permissions to get the work
done. ?
a. Principle of Least Privilege
b. Principle of Most Privilege
c. Principle of All Privilege
d. None of the Above

29. What is the point at which you want to recover your data from?
a. RTO
b. RPO
c. ALE
d. SLE

30. HIPPA is an example of what policy?

a. Privacy Policy
b. Acceptable Use Policy
c. Least Privilege
d. Security Policy

31. What are policies and procedures put in by management?

a. Technical controls
b. Detective Controls
c. Deterrent Controls
d. Administrative Controls

32. Cloud computing can guarantee confidentiality?

a. TRUE
b. FALSE
c. 0
d. 0

21
33. What type of agreement describes how business will be conducted between the partners?
a. Interoperability agreement
b. Service Level Agreement
c. Business Partner Agreement
d. Memorandum of Agreement

34. What is a hardware or software solution that implements and enforces a policy?
a. Control
b. standard
c. Enforcer
d. None of the Above

35. What is the measure of how long the device will be used until it fails?
a. MTTR
b. MTBF
c. ARO
d. ALE

36. What happens when our security system reports a problem when there is actually no problem at
all?
a. false negative
b. double negative
c. false positive
d. double positive

37. _______________ dictates the critical job functions be broken down into multiple roles
a. Mandatory Vacation
b. Least Privilege
c. Separation of Duties
d. Security Policy

38. What is the measure of time that we can recover if a device is down?
a. RTO
b. RPO
c. MTBF
d. MTTR

39. What is a policy that dictates how privacy should be carried out within the organization?
a. Mandatory Vacation
b. Acceptable Use Policy
c. Privacy Policy
d. Separation of Duties

40. What is not a type of control?

a. Technical
b. Scientific
c. Management
d. Operational

22
IT Governance and Management
1. What refers to data and knowledge that is not commonly known?
a. Copyright
b. Trademark
c. Intellectual Property
d. a new idea

2. What compares your process to another similar process?

a. Risk Assessment
b. Benchmarking
c. Business Impact Analysis
d. program evaluation review

3. When would a new requirement possibly become introduced within the business process?
a. Regulations
b. Business need
c. Customer
d. All of the Above
4. Program Management sustains programs needed for the business to survive such as?
a. Marketing
b. Bookkeeping
c. Facility Maintenance
d. All of the Above

5. What is a disadvantage of the BSC?

a. focus on specific linkage between different objectives and their budgets
b. All projects or programs are linked into complete process flow that ignores departments
and traditional boundaries
c. Politics can kill the BSC unless the sponsor eliminates the people creating the political
conflict
d. When fully implemented, none of the departments with have their own budget to spend

6. What type of continuity planning would plan out who would be running the company?
a. executive continuity
b. client continuity
c. Investor continuity
d. product line continuity

7. SLE(Single Loss Expectancy) x ARO(Annual Rate of Occurrence ) =

a. ALE (Annual Loss Expectancy)
b. AV (Asset Value)
c. EF% (Exposure Factor)
d. None of the above

8. Who is usually responsible for Operational Planning?

a. Department Director
b. Manager
c. Technical Lead
d. All of the Above

23
9. The Project Management Institute create which of the following benchmarks?
a. NIST Controls Matrix
b. FISMA
c. OPM3
d. BCMM

10. When the Board of Directors, come up with the new long term vision, how many years are they
strategically planning for?
a. 6 months
b. 1 year
c. 3 or more years
d. 2 months

11. (Where will the data applications and technology reside?) is a question that the _________ plan
focuses on.
a. Data Plan
b. Facilities Plan
c. Organizational Plan
d. Technology Plan

12. True or False? USA has stronger Privacy laws than the European Laws
a. TRUE
b. FALSE
c. 0
d. 0

13. What quality control model targets CMM levels 3-5 and is the international derivative of TQM?
a. PMI
b. ISO9001
c. Prince2
d. SigmaSix

14. The ________ function is to convert interested prospects from marketing campaigns into closed
deals.
a. Marketing
b. Manufacturing/Software Development
c. Sales
d. Finance

15. According to the BSC, What perspectives emphasis would ask: What information do I need to beat
my competitor?
a. Customer
b. Business Process
c. Financial
d. Growth and Learning

16. Managers on all levels are expected to provide?

a. Resources
b. Leadership
c. Legal Expertise
d. Money

24
17. Obtaining control over IT expenses would belong to what IT subset of the BSC?
a. Mission
b. Strategy
c. Metrics
d. None of the above

18. What is the strongest type of control?

a. Discretionary
b. Mandatory
c. Unparalleled
d. Optional

19. What is an example of project management?

a. Construction
b. Development of new products
c. Individual Audits
d. All of the Above

20. What is Level 4 of the ISACA COBIT CMM?

a. Managed
b. Nothing yet
c. Defined
d. Initial

21. How should you determine the members of the IT steering committee?
a. Appointed by CEO
b. Designated in the IT Steering Committees Formal Charter
c. Appointed by Board of Directorss
d. Elected by employees

22. What is not a goal of BPR (Business Process Re-Engineering)?

a. Continuous Improvement
b. Increasing Spending of Funds
c. Understand how change introduces new risks
d. Conveys the importance of security controls

23. What is the current edition of COBIT?

a. 3
b. 4
c. 2
d. 6
24. When will your BPR plan receive formal approval by the Sponsor?
a. Evaluate
b. Reconstruct
c. Initiate
d. Envision

25. Who would not represent the IT department on the steering committee?
a. CIO
b. VP of Information Technology
c. CFO
d. All of the Above

25
26. What type of policy explains the condition to be prevented and provides notice as to the
consequences of failure?
a. Advisory
b. Regulatory
c. Informational
d. None of the above

27. Asset Value (AV) x Exposure Factor (EF)% =

a. Annual Rate of Occurrence
b. Annual Loss Expectancy
c. Single Loss Expectancy
d. None of the above

28. What would lead to a hostile termination process?

a. Workplace Violence
b. Fraud
c. Criminal Act
d. All of the Above

29. When should IT systems be monitored?

a. Its first 6 months In use
b. One month out of the year
c. The Entire life cycle of the product
d. 3 days every week

30. What step of the BPR plan would you take an Analysis of Alternatives?
a. Reconstruct
b. Redesigning
c. initiate
d. Diagnose

31. What level of the organization do risks take place?

a. Entry Level
b. Mid Management Level
c. Executive Level
d. All Levels

32. What should be a minimum requirement for management methods?

a. Performance reporting
b. General record keeping
c. Safeguard and implementation details of controls
d. All of the Above

33. Who provides consistency in operations, manufacturing, and risk mitigation?

a. Legal
b. Quality Control
c. Finance
d. Research and Development

26
34. What type of IT funding would include Individual Departments having a direct charge for system
use?
a. Shared Cost
b. Charged-Back
c. Sponsor Pays
d. None of the above

35. What is the process of rolling out new products, maintaining profits, shutting down losses and
aiding in continuing the company after a total disaster takes place?
a. Business Continuity
b. Business Perseverance
c. Business Lockdown
d. Disaster Relief Plan

36. What is used by business executives for reporting metrics?

a. (BSC)The Balanced Scorecard
b. The Metric Scorecard
c. Strategic Business Objective report
d. Business Scorecard

37. What is going to be your first step of the BPR plan?

a. Envision
b. Initiate
c. Diagnose
d. Redesigning

38. True or False? With BPR.If you are thinking big, A top-down approach is best
a. TRUE
b. FALSE
c. 0
d. 0

39. What would disallow you from going to work with your company competitor, immediately after
departure from your current company?
a. Confidentiality Agreement
b. Non-Competition Agreement
c. Performance Evaluation
d. All of the Above

40. What project management model has 9 process areas and focus on organizational process
methodology?
a. PMI
b. ISO9001
c. Prince2
d. TQM

27
Organizational Data Security Fundamentals
1. What are the 3 C's?
a. Cost, Classify, Control
b. Change, Classify, Control
c. Cost, Change, Classify
d. Cost Change Control

2. From the CIA Triad, Confidentiality is defined as:

a. Keeping data available on a private network
b. Keeping data unaltered
c. Keeping data secret
d. All of the above

3. Which of the following is not a sign of a Phishing email?

a. Poor spelling and grammar
b. Sense of urgency
c. Promise of monetary gain
d. Addresses you by name

4. What responsibility falls on the Data Owner?

a. Classifies Data
b. Evaluates Business Processes
c. Chief Decision maker
d. Responsible for budgeting and finances

5. What is a way of protecting files in process?

a. Use Good Policies/Best Practices
b. Log out of your computer when you leave your desk
c. Watch for shoulder surfing
d. All of the above

6. From the CIA Triad, Integrity is defined as:

a. Keeping data secret
b. Keeping data unchanged
c. Keeping data available for use
d. None of the above

7. What is PII?
a. Personal Integrity Identifier, A way of checking one's integrity
b. Personally Identifiable Information, any data that could identify an individual
c. Personality Identity Intelligence, a new way of testing if one has the right personality to fill a
position
d. None of the Above

8. What are two concepts of Integrity?

a. Security and Data
b. Covert and Overt
c. Integral and Gritty
d. None of the Above

28
9. Who has the authorization to modify files?
a. Administrators
b. Guests
c. Regular users
d. Nobody

10. What addresses the correct function of a system?

a. PII
b. IAAA
c. System Integrity
d. Data Integrity

11. Which of the following most closely matches the definition of social engineering?
a. Attacking Computer systems by manipulating people
b. Attacking Computer systems by guessing passwords
c. Attacking Computer systems with advanced technical attacks
d. Attacking Computer systems through physical insecurities

12. What is a type of classification? (Select One)

a. Confidential
b. Top Secret
c. Unclassified
d. Secret

13. What encrypts entire hard drives?

a. EFS
b. TPM
c. RAM
d. None of the above
14. What is the time sensitivity of data?
a. Sensitivity
b. Criticality
c. Data Value
d. Data Classification

15. What is CRUD?

a. Control, Read, Update, Delete
b. Control, Revise, Update Delete
c. Create, Read, Update, Delete
d. Create, Read, Understand, Deliver

16. Who is responsible for Risk Analysis and Mitigation?

a. CIO
b. Data Custodian
c. Network Administrator
d. ISO

17. Who is responsible for all security-related tasks, focusing on Confidentiality and Integrity?
a. Network Administrator
b. Steering Committee
c. Security Administrator
d. CEO

29
18. What is not a technique of System Hardening?
a. Locking the Server Room Door
b. Installing all the latest new, intrusive programs and apps
c. Renaming Default Accounts
d. Changing Default Settings

19. Do you have to document Configuration Management?

a. Yes
b. No
c. Depends on the situation
d. Up to Management

20. What is an example of Covert Encryption?

a. Cryptography
b. Masking
c. Steganography
d. Encryptology

21. What does Configuration Management identify and document?

a. Hardware Components
b. Software
c. Associated Settings
d. All of the above

22. What is an indicator that makes up the value of an asset?

a. Value to the organization
b. Loss if compromised
c. Legislative drivers
d. All of the above

23. What is an example of States of Data?

a. In Rest
b. In Process
c. In Transit
d. All of the Above

24. Define Data Costs.

a. How much you paid for the data
b. How much you could sell the data for
c. Value of the data
d. None of the above

25. What is a Bitlocker an example of?

a. TPM Whole hard drive encryption
b. A locker for your bits
c. EFS
d. A new encrypted Operating System
26. What protocol should you avoid while transmitting data?
a. FTP
b. POP3
c. SNMP 1&2
d. All of the above

30
27. Who is not a member of Senior/Executive Management?
a. CEO
b. Security Administrator
c. CIO
d. CFO
28. What is a responsibility of the ISO? (Select One)
a. Ensure compliance with government and industry regulation
b. Establish security measurements
c. Communication of Risks to Senior Management
d. All of the Above

29. What is not a way of validating an Authenticity claim?

a. Anonymous
b. Non-repudiated
c. Digest
d. Forms
30. You need to ______ data in order to protect it.
a. Delete
b. Make copies of
c. Encrypt
d. Distribute

31. What would you document during Configuration Management Documentation?

a. Permanent IP if applicable
b. Model
c. Organizational department label
d. All of the above

32. What is the Ultimate Goal of Change Management?

a. To change the management of an organization
b. System stability
c. To introduce changes in the organization
d. None of the above

33. What can you do to protect data in process?

a. Use AES 256 bit encryption
b. Use a "clean desk" approach, make sure no one is shoulder surfing, be aware of
surroundings
c. Use SSL
d. Build a fortress around your desk

34. What is the purpose of the OSI?

a. To help technicians troubleshoot
b. To provide a rigid methodology for development of products
c. To promote interoperability among vendors
d. To be used for testing purposes

35. What could we use to make sure data stays encrypted in transit?
a. TLS
b. SSL
c. IPsec
d. All of the Above

31
Access Control and Identity Management
1. An administrator has noticed an increase in failed access attempts to the network. He needs to
implement a quick solution before a longer term solution can be evaluated. What would be a logical
step towards mitigation?
a. Install an Intrusion Prevention System
b. Increase the password complexity requirements
c. Lower the clipping level on the number of logins
d. Install a firewall

2. A negative characteristic of auditing is that

a. It tracks both positive and negative behaviors
b. It utilizes system resources
c. It provides accountability
d. It provides authorization

3. Which of the following security groups should not be given privileged access?
a. Network Administrators
b. Security Administrators
c. System Administrators
d. Internal Auditors

4. One of the greatest concerns with DHCP is that there is no

a. Client authentication
b. Server authentication
c. User authentication
d. Health verification

5. Identification accomplishes which of the following?

a. Authentication
b. Authorization
c. Accountability
d. None of the above

6. If the NTFS settings of a folder are Full Control (in a Windows environment) what impact does
changing the shared folder permission to Read Only have on a user’s ability to locally access to the
file?
a. None
b. The user would only be able to view the file, and would not be allowed to modify in any
way
c. The user would only be able to view the file name and its properties, but not to make any
changes
d. The user would be denied access since there is a conflict in permissions

7. Separation of Duties is an essential control in order to mitigate risks associated with social
engineering. However, to truly be beneficial it should be coupled to
a. Need to know
b. Auditing
c. Incidence Response
d. Job Rotation

32
8. Which of the following security groups should not be given privileged access?
a. Public access accounts
b. Nonpublic accounts
c. Privileged accounts
d. Non-privileged accounts

9. RAIDUS provides which purpose on the network?

a. Central authentication
b. Audit and review of LDAP hosts
c. Policy control for local access
d. Health inspection of clients

10. In its most basic sense, a sniffer can simply be

a. A system with a NIC in promiscuous mode
b. A NIC configured with port-span
c. A switch with snooping configured
d. A wire-tapping device

11. Which is associated with an implicit deny?

a. White-listing
b. Black-listing
c. Content filtering
d. Spam filtering
12. An authentication token in windows contains:
a. A list of user and system passwords
b. Group memberships
c. Rights and permissions for the user
d. Time-stamped access to the domain

13. With dual control, which of the following is true?

a. Two or more users must provide credentials before accessing a resource or privilege
b. Two or more administrators can perform the same access control function
c. Multi-factor authentication is required
d. Authorization for an action must be granted multiple times

14. What information would be contained on a Kerberos ticket?

a. Two copies of an identical key
b. A public and private key pair
c. A public key
d. An authentication token

15. Which type of attack involves the use of pre-computed password hashes?
a. Dictionary
b. Brute Force
c. Hybrid
d. Rainbow Tables

16. Auditing is most dependent upon which access control concept?

a. Identification
b. Authentication
c. Authorization
d. Accounting

33
17. Why is it important to have a policy to enforce a minimum length of time for a between password
changes?
a. Users will change passwords so frequently that they forget them
b. Users will change passwords frequently to override password history and allow themselves
to continue using the same passwords
c. Password replication to domain controllers happens only every thirty minutes so the user
may get locked out of services
d. Changing passwords frequently increases administrative overhead

18. In order to implement the strongest means of authentication, which type should be used?
a. Biometrics
b. Type I
c. Type II
d. Multi-Factor

19. Three sales users need access to a printer. Senior management advises you to grant access to the
marketing printer. Which is the best way to accomplish this task?
a. Since there are less than five users, grant permission directly to the users
b. Add the sales users to the marketing group
c. Create a new group called Sales and add the users to the group. Grant permission to the
group
d. Create an organizational unit called Sales. Add the users to the group. Grant permissions to
the organizational unit

20. Which language is used for the exchange of an authentication token across federated trusts?
a. SPML
b. SAML
c. XML
d. HTML

21. Should safeguards be visible and why?

a. Yes, so that network administrators can more easily audit them
b. Yes, to cause a deterrence
c. No, because it will be easier to catch an attacker if they aren’t aware of our security
mechanisms
d. No, because it may indicate that a resource is valuable

22. The best way to protect data while being processed is

a. Encryption
b. Physical security
c. Strong authentication
d. Host-based intrusion detection

23. Which of the following enables single sign on?

a. LDAP
b. EAP
c. CHAP
d. MSCHAP v2

34
24. On a mail server, which would be the best means of limiting messages from specific spammers?
a. Black-listing
b. White-listing
c. Content filtering
d. Spam filtering

25. In order to validate a claimed identity, which best describes an authentication token?
a. One-time password generator
b. Time-based access control
c. Credentials
d. Synchronous access control

26. What action should a user take if someone tries to piggyback on their card swipe?
a. Tell the individual that they aren’t authorized to be in the building
b. Ask the individual to show them an access card. If they are unable to do so, do not allow
the individual to enter the building
c. Ask the individual to show them an access card. If they are unable to do so, escort the
individual to security
d. Notify security at once

27. In order to access a Kerberized domain, what is necessary for a user to access an object?
a. A ticket
b. A TGT
c. An asymmetric key
d. A public key

28. A user in a Windows environment is in multiple groups with the following conflicting permissions:
SALES GROUP [Shared Folder, Permission—Change, NTFS permission Modify] USERS [Shared
Folder Permission—Read Only NTFS Permission Read] TECHNICIANS [Shared Folder Permission—
Full NTFS Permission RWX] What is the result?
a. The user would have Full permission to the folder
b. The user would have Read permission to the folder
c. The user would have RWX permission to the folder
d. The user would have Modify permission to the folder

29. ARP Cache poisoning is often used for

a. Spoofing
b. Redirection
c. Sniffing
d. DDOS

30. When assigning permissions to folders, what is the difference between an implicit deny and an
explicit deny?
a. Because they both result in no access, they are essentially the same
b. An implicit deny can be overridden by a network administrator, however an explicit deny
cannot
c. An implicit deny is the default permission in Windows shares, whereas an explicit deny must
be manually configured
d. An explicit deny trumps all other permissions. An implicit deny can be overridden by other
permissions.

35
31. What is true of passphrases?
a. Should consist of a known phrase that the user will be able to remember easily, while still
being sufficiently long
b. Take exponentially more time to crack, even if the phrase is common
c. Can be cracked as easily as a password if the phrase is common
d. Are only used in proprietary software like PGP

32. At what point in time does the user’s password cross the network in a Kerberized environment?
a. Upon initial access
b. During the negotiation handshake
c. Before being granted a TGT
d. Never

33. An “evil twin” is implemented as a type of

a. Rogue DNS Server
b. Rogue Access point
c. Rogue DHCP
d. Rogue Web Server

34. When reviewing an audit log, which of the following is of greatest concern?
a. Successful login attempts
b. Account Expired
c. Password Expired
d. Account lockout

35. In the event of a security incident regarding a computer, what should users be trained to do?
a. Turn off the affected system
b. Remove the affected system from the network
c. Call the incident response team
d. Inspect the system to determine the depth of the attack

36. “Privilege creep” is best alleviated by which of the following?

a. Continuous review of user accounts and permissions
b. Salary-based access control
c. Rule-based access control
d. Role-based access control

37. In a Windows environment, which of the following best describes the relationship between
Security Groups and Organizational Units?
a. Organizational Units are designed to grant permission to resources in the domain. Security
Groups of are used for the assignment of group policy
b. Organizational Units are designed for the assignment of group policy. Security Groups of
are used to grant permissions to resources in the domain
c. Security Groups are a way of organizing users. Organizational Units are a means of
grouping non-computer resources
d. Security Groups are a means of grouping non-computer resources Organizational Units are
a way of organizing users.

36
38. You are running to the building, asking the security to open the gate for you as you have a
meeting with the CEO and you are late. The security lets you in without checking your identity.
What does this situation represent?
a. Phishing
b. Reverse social engineering
c. Tailgating
d. Impersonation

39. Analyse the following scenario: Attacker: Hi Frederica. I am Megan from Lotto.com and I am so
happy to inform you that you have won a weekend with your fiancée in Budapest. What tactic is
the attacker using?
a. Greed
b. Sympathy
c. Authority
d. Supplication

40. Why would we want to prevent users from changing the system date and time on their systems?
a. It would cause an inability to audit the user’s actions
b. It may throw off password replication
c. Group policy replication will not happen as scheduled
d. Kerberos is time-sensitive and the user may be locked out

37
Asset Security
1. What would you document during Configuration Management Documentation?
a. Permanent IP if applicable
b. Model
c. Organizational department label
d. All of the above

2. What stores the encryption keys for full drive encryption?

a. EFS
b. TPM
c. RAM
d. None of the above

3. Who is responsible for Risk Analysis and Mitigation in relation to information assets?
a. CIO
b. Data Custodian
c. Network Administrator
d. ISO

4. What are the 3 Cs?

a. Cost, Classify, Control
b. Change, Classify, Control
c. Cost, Change, Classify
d. Cost Change Control

5. What is a responsibility of the ISO?

a. Ensure compliance with government and industry regulation
b. Establish security measurements
c. Communication of Risks to Senior Management
d. All of the Above

6. Define data costs

a. How much you paid for the data
b. How much you could sell the data
c. Value of the data
d. None of the above

7. Do you have to document Configuration Management?

a. Yes
b. No
c. Depends on the situation
d. Up to Management

8. What responsibility falls on the Data Owner?

a. Classifies Data
b. Evaluates Business Processes
c. Chief Decision maker
d. Responsible for budgeting and finances

38
9. What is an indicator that makes up the value of an asset?
a. Value to the organization
b. Loss if compromised
c. Legislative drivers
d. All of the above

10. How many steps are in the Change Management Process?

a. 3
b. 4
c. 8
d. 2
11. What is the purpose for classification?
a. To drive what controls are put in place to protect the information
b. To specify labels for certain types of information
c. To waste time
d. None of the above

12. What does Configuration Management Identify and Document?

a. Hardware Components
b. Software
c. Associated Settings
d. All of the above

13. What is an bitlocker an example of?

a. TPM Whole hard drive encryption
b. A locker for your bits
c. EFS
d. A new encrypted Operating System

14. Who is not a member of Senior/Executive Management?

a. CEO
b. Security Administrator
c. CIO
d. CFO

15. What is NOT a type of military classification?

a. Confidential
b. Top Secret
c. Critical
d. Secret

16. What is not a technique of System Hardening?

a. Locking the Server Room Door
b. Installing all the latest new and trending intrusive programs and apps
c. Renaming Default Accounts
d. Changing Default Settings

17. Who is responsible for all security-related tasks, focusing on Confidentiality and Integrity
a. Network Administrator
b. Steering Committee
c. Security Administrator
d. CEO

39
18. What is a way of protecting files in process?
a. Use Good Policies/Best Practices
b. Log out of your computer when you leave your desk
c. Watch for shoulder surfing
d. All of the above

19. You need to ______ Data in order to protect it

a. Delete
b. Make copies of
c. Encrypt
d. Distribute

20. What is the Ultimate Goal of Change Management?

a. to change the management of an organization
b. system stability
c. to introduce changes in the organization
d. none of the above

40
Protection of Information Assets
1. How often should biometric templates be updated?
a. Weekly
b. Monthly
c. Annually
d. Quarterly

2. Which attack uses an automated modem dialing utility to launch a brute force attack against a list
of phone numbers?
a. War dialing
b. Speed dialing
c. Spear phishing
d. Drunk dialing

3. Which attack targets a specific user, server, database, or network device?

a. Social engineering
b. Phishing
c. Spear phishing
d. Dumpster diving

4. Which individual is focused on a desire to break in, take over, damage, or discredit legitimate
computer processing?
a. Hacker
b. Arsonist
c. Third-party criminal
d. White collar criminal

5. What is the term describing an equal balance of speed and accuracy for biometrics?
a. Crossover Error Rate
b. Equal Error Rate
c. False Acceptance Rate
d. False Rejection Rate

6. When setting up a wireless LAN, what is an example of a STA?

a. PDA
b. Notebook computer
c. Mobile phone
d. All of the above

7. Which individual uses existing tools and programs to harm an organization’s infrastructure?
a. Cracker
b. Rogue ethical hacker
c. Script kiddie
d. All of the above

8. Which technique is used to deduct a small amount of money from every customer?
a. Pastrami attack
b. Pepperoni attack
c. Salami attack
d. Bologna attack

41
9. Which term describes when a biometric system does not create a user profile?
a. False Acceptance Rate (FAR)
b. False Rejection Rate (FRR)
c. Failure to Enroll
d. Crossover Error Rate (CER)

10. Asymmetric cryptography uses a PKI.

a. TRUE
b. FALSE
c. 0
d. 0

11. Which firewall generation is referred to as Kernel Response?

a. First
b. Third
c. Fifth
d. Second

12. Which traditional method of spying is an attempt to gather information?

a. Eavesdropping
b. Passive attack
c. Active attack
d. Sniffing

13. Which term describes when an legitimate user fails to authenticate with biometrics?
a. Failure to Enroll
b. False Acceptance Rate
c. False Rejection Rate
d. Crossover Error Rate

14. Which hacking technique allows a website to direct activity on another website?
a. XSS (cross site scripting)
b. XML
c. SQL Injection
d. None of the above

15. What is the term for misrepresentation in order to gain an advantage?

a. Blackmail
b. Fraud
c. Sabotage
d. Industrial espionage

16. What is the term for spying by individuals or governments with the intent to gather, transmit, or
release information which benefits a foreign organization?
a. Sabotage
b. Fraud
c. Blackmail
d. Industrial espionage

42
17. Which attack involves retransmitting packets within a short time window in order to impersonate a
legitimate user?
a. Packet replay
b. Origin attack
c. Plug and play
d. Source routing

18. Which term describes hidden access to software used during testing?
a. Logic bomb
b. Time bomb
c. Trap door
d. Rootkit

19. Which type of password attack attempts to use all possible passwords?
a. Brute force
b. Dictionary
c. Hybrid
d. None of the above

20. What would logical access controls be used for?

a. Identification of users
b. Restriction of users
c. Authentication of users
d. All of the above

21. Which attack involves discovering open wireless networks from a vehicle?
a. Plug and play
b. War dialing
c. War driving
d. Salami technique

22. What is the basis for attribute-based access controls?

a. Risk
b. Value of data
c. Available security controls
d. All of the above

23. Can a firewalls control traffic that does not directly pass through the device?
a. Yes
b. No
c. 0
d. 0

24. Which attack uses several computers to prevent legitimate use of a network resource?
a. DoS
b. DDoS
c. Spear phishing
d. Worm

43
25. Which of these firewalls is a third generation device?
a. Packet filter
b. Stateful inspection
c. Application proxy
d. None of the above

26. Which type of malware lies dormant until an event triggers execution?
a. Logic bomb
b. Time bomb
c. Trap door
d. Rootkit

27. Which type of server is placed in in a DMZ to interest and attract attackers?
a. Honeypot
b. Honeydew
c. Honeynest
d. Honeycomb

28. Which group should be considered for the effects of using biometric authentication?
a. Employees
b. Customers
c. Business partners
d. All of the above

29. Which method ignores the configuration of network routers in order to follow instructions
designated by the sender?
a. Packet replay
b. Source routing
c. Social engineering
d. War driving

30. What is the term for willful and malicious destruction of an employer’s property?
a. Sabotage
b. Blackmail
c. Fraud
d. Industrial Espionage

31. Which attack involves rummaging through the trash for discarded information?
a. Spear phishing
b. Dumpster diving
c. Phishing
d. Social engineering

32. Which of these devices is an example of a VPN?

a. Host to host
b. Host to gateway
c. Gateway to gateway
d. All of the above

44
33. Which term is the second type of authentication?
a. Something you know
b. Something you have
c. Something you are
d. All of the above

34. Which type of access control allows an individual to designate the authorization level for other
individuals?
a. Mandatory Access Control (MAC)
b. Discretionary Access Control (DAC)
c. Role Based Access Control (RBAC)
d. Task Based Access Control (TBAC)

35. Which is an example of biometric authentication?

a. Retinal scanning
b. Fingerprinting
c. Voice recognition
d. All of the above

36. Which VPN mode only allows the payload to be encrypted?

a. Transport
b. Tunnel
c. Both A&B
d. Neither A&B

37. Shared Encryption keys are used with Kerberos.

a. TRUE
b. FALSE
c. 0
d. 0

38. Which type of biometric authentication measures the unique features in the color ring surrounding
the pupil of an eye?
a. Iris scan
b. Face scan
c. Retinal scanning
d. Pupil scan

39. Which technology converts each biometric image into a unique data template?
a. Biometric template generator
b. Biometric template matcher
c. Biometric photoshop
d. Biometric image generation suite

40. Which group is a third party?

a. Vendors
b. Consultants
c. Cleaning crew
d. All of the above

45
Incident Management
1. The CISO
a. Must prevent all disruptions to business
b. Must make sure we are profitable
c. Must make sure we are prepared for routine work
d. Must make sure we are prepared for an incident

2. The last step in the incident response lifecycle

a. Is remediate
b. Is eradicate
c. Is eradicate and remediate
d. Is eliminate

3. If we dont have the skills in-house to properly respond to incidents

a. Then we would create a toolkit that would consist of telephone numbers of who to call and
the steps we do feel comfortable taking within the organization
b. Then we would not create a toolkit that would consist of telephone numbers of who to call
and the steps we do feel comfortable taking within the organization
c. Then we might create a toolkit that would consist of telephone numbers of who to call and
the steps we do feel comfortable taking within the organization
d. Then we would create a toolkit that would consist of telephone numbers of who to call

4. We have to look at what our capabilities for incident response are

a. In-house
b. Using 3rd parties
c. Individually
d. None of the above

5. Often attackers
a. Find new targets
b. Go back to the same target
c. Give up trying
d. Apologize
6. Those that handle the incidence response reports
a. Should know how to evaluate whether or not a report is actually an incident or not
b. Must know how to evaluate whether or not a report is actually an incident or not
c. Can not know how to evaluate whether or not a report is actually an incident or not
d. Must know how to evaluate whether or not a report is actually a disaster or not

7. When you have multiple events that have a negative impact on the environment
a. That becomes a disaster
b. It is neither good, nor bad
c. It may or may not be an incident
d. That becomes an incident

8. When we talk about triage

a. We are trying to determine which incident or event is the most severe
b. We are trying to determine which incident or event is the least severe
c. We are trying to address all events and incidents
d. We are waiting to see what happens

46
9. Incident response is different from forensics;
a. With forensics our primary focus is on evidence collection
b. With forensics our secondary focus is on evidence collection
c. With forensics our primary focus is on evidence destruction
d. With forensics our primary focus is on resource collection

10. If changes need to be made as a result of an incident

a. We need to make sure that there is a management procedure in place
b. We need to make sure that there is a change management procedure in place
c. We do not need to make sure that there is a change management procedure in place
d. We need to make sure that there is a procedure in place

11. In an incident
a. There is an inherent assumption of a malicious nature or the presence of malicious intent
b. There is no inherent assumption of a malicious nature or the presence of malicious intent
c. There is the presence of malicious intent
d. There is no inherent assumption of a positive nature or the presence of good intent

12. The goal of incident response is

a. To create disruptions to the network and other business processes
b. To limit disruptions to the users
c. To limit disruptions to the network and other business processes
d. To limit routine functioning of the network and other business processes

13. Triage is
a. The process of prioritization of tasks
b. The process of sorting, categorizing, correlating, prioritizing, and assigning incoming
reports/events
c. The process of isolating infected computers
d. A and B

14. We want to establish

a. Periods of recreation for those elements that are most critical
b. Periods of criticality for those elements that are most critical
c. Periods of inactivity for those elements that are most critical
d. Periods of introspection for those elements that are most critical

15. A CISO must be responsible for

a. Coordinating the planning and design of the incident response
b. Reading the planning and design of the incident response
c. Coordinating the formatting and fonts of the incident response
d. Observing the planning and design of the incident response

16. Honeypots detect activity by

a. Providing valuable data to an attacker
b. Providing decoys for an attacker
c. Making the attacker attack another company
d. Recording the attack as data security is breached

47
17. Those that handle the incidence response reports
a. Must take them with a grain of salt
b. Must write them seriously
c. Must take them
d. Must take them seriously

18. Part of preparation is

a. Meeting with the senior management and making sure that they are on board
b. Meeting with the end users and making sure that they are on board
c. Meeting with the customers and making sure that they are on board
d. Meeting with the senior staff and making sure that they are on board

19. A CISO must hope for the best

a. But prepare for the worst
b. But prepare for the best also
c. But prepare for anything
d. B and C

20. honeypots are often placed in

a. Th eCEO laptop
b. All the desktop computers
c. The most sensitive areas of the network
d. Our demilitarized zones

21. A CISO must

a. Work alone
b. Work with a team
c. Not do any work
d. Take lots of time off

22. We want to be as proactive as possible

a. So we want monitoring of our environment and our network
b. So we want a record of the monitoring of our environment and our network
c. So we want live time monitoring of our environment and our network
d. So we want live time monitoring of our network alone

23. Ultimately a big part of preparing

a. Is collecting staff
b. Is collecting software
c. Is collecting ideas
d. Is collecting information

24. We should analyze data traffic

a. For fun
b. For unusual patterns or events
c. To check network capacity
d. To make sure it is as fast as it should be

48
25. It is up to you as a CISO
a. To put the proper policies, procedures, and guidelines in place so that we can respond to
those events as quickly as possible
b. To put the proper policies and guidelines in place so that we can respond to those events
as quickly as possible
c. To delegate someone to put proper policies, procedures, and guidelines in place so that we
can respond to those events
d. To put the proper guidelines in place so that we can respond to those events as quickly as
possible

26. Escalation ideally happens because

a. We do not trust those in a hierarchy above us to make good business decisions
b. We trust those in a hierarchy above us to make good business decisions
c. We trust those in a hierarchy below us to make good business decisions
d. We trust those in a hierarchy above us to make business decisions

27. Incidents are

a. Smaller in nature and scope than a disaster
b. Larger in nature and scope than a disaster
c. Smaller in nature and scope than a network
d. Smaller in nature and definition than a disaster

28. The definition of Prepare in incident response

a. Is the daily work that has to be completed prior to having any capability to respond to
incidents
b. Is the preparation work that has to be completed prior to having any capability to respond
to incidents
c. Is the unrelated work that has to be completed prior to having any capability to respond to
incidents
d. Is the preparation work that has to be completed prior to having any capability to respond
to incidents

29. After isolating the infected system or network

a. Ensure that measures are taken
b. Ensure that forensic measures are taken
c. Ensure that forensic measurements are taken
d. It is too late for forensic measures to be taken

30. We need a regular schedule

a. To review audit logs and files
b. To review employee performance
c. To delete audit logs and files
d. To create audit logs and files

31. Incident response planning

a. Must be done just before an incident
b. Must be done well after an incident
c. Could be done well in advance
d. Must be done well in advance

49
32. We will document how we are going to conduct
a. Our review after an incident
b. Our review before an incident
c. Our review during an incident
d. B and C

33. In certain attacks like rootkits, which embed with the operating system kernel
a. We want to restore from backup because that rootkit may already be in the backup as well
b. We dont want to restore from backup because that rootkit may already be in the backup as
well
c. We dont want to restore from original media because that rootkit may already be in the
original media as well
d. B and C

34. Pull the network cable

a. To isolate the infected system or network
b. To isolate the infected staff or administrator
c. To isolate the infected room or closet
d. B and C

35. After the event of an attack

a. We will want to increase our employee monitoring activity
b. We will want to increase our log monitoring activity
c. We will want to increase our office monitoring activity
d. We will want to increase our phone monitoring activity

36. The CISO is

a. Heavily involved in writing incident response policy
b. Somewhat involved in writing incident response policy
c. Not involved in writing incident response policy
d. Heavily involved in reading incident response policy

37. Ultimately forensics will have the

a. End goal of presenting information in court
b. End goal of presenting information in an office
c. End goal of hiding information from court
d. Primary goal of presenting information to the board

38. In incident response the focus

a. Is a little bit different; because what were primarily concerned with is maximizing
disruptions to the business
b. Is a the same; because what were primarily concerned with is minimizing disruptions to the
business
c. Is a not different; because what were primarily concerned with is minimizing disruptions to
the business
d. Is a little bit different; because what were primarily concerned with is minimizing disruptions
to the business

50
39. Criticality deals with
a. How time sensitive a service or process is
b. How resource sensitive a service or process is
c. How management sensitive a service or process is
d. How staff sensitive a service or process is

40. Honeypots are helpful in

a. Gathering information
b. Losing information
c. Hiding information
d. None of the above

51
Business Continuity and Disaster Recovery
Planning
1. An appropriate solution for a Web store-front service with a low MTD might be
a. Frequent backup
b. Clustering
c. Load Balancing
d. RAID

2. An indication of the expected lifespan of a device such as a hard drive is

a. MTTR
b. MTBF
c. RPO
d. RTO

3. A Call Center currently handles over two thousand calls per day. The average hold time is under two
minutes and 96% of incoming calls are processed. In the event of a disaster, incoming calls will be
transferred to another call center on the West coast. The West coast center will still be processing its
normal amount of incoming calls, in addition to those transferred. Management understands normal
objectives will not be met. Management wants to ensure hold time is less than 5 minutes and 85% of
incoming calls will be processed. What are these metrics called?
a. MTD
b. RTO
c. RPO
d. SLA

4. How often should the Business Continuity Plan be reviewed?

a. Once per year
b. Twice-yearly
c. As a result of a major change
d. At least once per year or in the event of a major change

5. The local newspaper cannot afford a backup facility stocked with machinery and equipment to use
in the event of a disaster. In this instance it might be better to
a. Invest the money anyway, as it is essential that the paper be able to continue operations
b. Enter a reciprocal agreement with another newspaper
c. Invest in a Rolling hot site
d. User a mirrored site instead

6. Backups that do not clear the archive bit are referred to as

a. Full
b. Incremental
c. Differential
d. Incomplete
7. How is business impact analysis different from risk analysis?
a. Business impact analysis is simply a type of risk analysis
b. Business impact analysis evaluates the value a process has to an organization, while risk
analysis considers probabilities and impacts of threats manifesting
c. Business impact analysis deals with the probability and impact of IT related threats, while
risk analysis deals with probability and impact of all threats
d. Business impact analysis is more quantitative in nature and risk analysis is more quantitative

52
8. Sara is charged with creating the disaster recovery plans for her group. She is very concerned about
paper-based tests not being realistic enough. She is also concerned with risking downtime of
production systems. Which test type is most appropriate in this situation?
a. Structured walkthrough
b. Warm
c. Simulation
d. Parallel

9. What should the BCP Planning committee include?

a. Representatives from all important IT functions
b. Cross-functional department representatives
c. Senior Managers and officers
d. End-users

10. The state of disaster is considered to be over at which point in time?

a. Processing resumes
b. Critical systems are restored
c. Operations have been restored to a state of Permanence
d. Reconstitution begins

11. Within an organization, who can declare an emergency?

a. Senior Management
b. Anyone
c. BCP Coordinator
d. Designated Official

12. Which type of test involves business department leaders discussing whether the plan meets the
needs of each department, and satisfies requirements for interoperability?
a. Full-Interruption Test
b. Checklist
c. Paper-based
d. Structured Walk-through

13. Who conducts the Business Impact Analysis?

a. Senior Management
b. Functional Management
c. The BCP Committee
d. The BCP Coordinator

14. Who is ultimately responsible for ensuring the Enterprise’s BCP is effective and up to date?
a. BCP Coordinator
b. Senior Management
c. The BCP Committee
d. The Project Manager

15. Qualitative analysis is best for which of the following losses?

a. Reputation
b. Data
c. Downtime
d. Theft

53
16. In developing a Business Impact analysis for an organization, it is determined that their email
server is a critical resource. If the server is unavailable more than two hours, the business will lose
more income than is acceptable. What is the term for this time period?
a. MTD
b. RPO
c. WRT
d. SLA

17. After a disaster, a business leader tells you that it took much too long to restore operations to a
critical server. Which metric will indicate the length of time in which this particular server must be
restored?
a. MTD
b. MTTF
c. MTBF
d. RPO

18. An indication of the expected lifespan of a device such as a hard drive is

a. MTTR
b. MTBF
c. RPO
d. RTO

19. Which document includes metrics such as MTD, RPO, and RTO?
a. Risk Management Strategy
b. Business Continuity Policy
c. Business Impact Analysis
d. Recovery Time Objectives

20. A legally binding document describing a cooperative relationship between two parties wishing to
work together to meet an agreed upon objective is called a
a. MOU
b. MOA
c. SLA
d. ISA

21. The first step of developing a Business Continuity Plan is to

a. Obtain a BCP Policy
b. Assess the impact of loss of critical assets
c. Secure a cross-functional BCP team
d. Determine the value of the business assets

22. Disaster Recovery Plans provide the processes necessary to

a. Return the most critical services to operation first
b. Return the most critical services to operation last
c. Restore the enterprise, in its entirety, to full operation
d. Retrieve lost data
23. What is the first step for developing a business continuity plan?
a. Obtain a BCP Policy from Senior Management
b. Conduct a Business Impact Analysis
c. Determine Most critical services
d. Determine business objectives

54
24. Sara is charged with creating the disaster recovery plans for her group. She is very concerned
about paper-based tests not being realistic enough. She is also concerned with risking downtime of
production systems. Which test type is most appropriate in this situation?
a. Structured walkthrough
b. Warm
c. Simulation
d. Parallel

25. An organization performs a nightly backup as its primary means of providing redundancy of data.
It requires that backups be tested weekly and mandates that the files servers which store the data be
down no longer than two hours. What is the company’s MTD for the file servers?
a. None
b. One day
c. Two hours
d. One week

26. Before implementing the Disaster Recovery Plan, it must be thoroughly tested. Which of the
following tests is the most realistic indication of whether the plan will be successful?
a. Simulation
b. Structured walk-through
c. Parallel
d. Full Interruption

27. Recovery point objectives (RPOs) can be used to determine which of the following?
a. Maximum tolerable downtime
b. Frequency of backups
c. Baseline for operational resiliency
d. Time to restore backups

28. What should a BCP policy include?

a. Specific details on backup/recovery procedures
b. Threshold of tolerances for loss
c. Commitment to support and funding of the BCP project
d. An assessment of business processes, assets, and an estimate of loss caused by the absence
of each service

29. The senior network administrator responsible for managing perimeter security devices is named in
the disaster recovery plan as the primary person to perform firewall recovery at an alternate site.
However, this administrator may move to another department and may no longer be available for
this role. Which plan should be used to prepare for such situations?
a. Business impact analysis
b. Succession
c. Personnel migration
d. Restructuring

30. The RTO is reached at which point in time?

a. Disaster declaration
b. Backups are restored
c. The system is restored
d. Full business operations are restored

55
31. After a disaster, a business leader tells you that it took much too long to restore operations to a
critical server. Which document should you review in order to examine the agreed upon metrics for
this particular server?
a. Recovery procedures
b. Reconstitution procedures
c. Business Impact Analysis
d. Memorandum of Agreement

32. What is the most important consideration when developing a disaster recovery plan?
a. Business processes
b. IT Process
c. Human life
d. Business Assets

33. The local newspaper cannot afford a backup facility stocked with machinery and equipment to use
in the event of a disaster. In this instance it might be better to
a. Invest the money anyway, as it is essential that the paper be able to continue operations
b. Enter a reciprocal agreement with another newspaper
c. Invest in a Rolling hot site
d. User a mirrored site instead

34. In order to attain redundancy of hard disks, which should be implemented?

a. Hot-swappable drives
b. Clustering
c. RAID
d. Load-balancing

35. Which metric addresses how current restored data should be?
a. RTO
b. RPO
c. WRT
d. MTD

36. You have been asked to estimate the value of servers purchased a little over two years ago, as part
of information you are collecting for the business continuity plan. What should this value be based
on?
a. Original Cost
b. Original Cost plus depreciation
c. Net present value
d. Replacement cost

37. The sub-plans of the Business Continuity Plan fall in one of the three categories. Which of the
following is NOT one of the categorizations for the plans
a. Sustain
b. Report
c. Protect
d. Restore

56
38. Within an organization, who can declare an emergency?
a. Senior Management
b. Anyone
c. BCP Coordinator
d. Designated Official

39. What document identifies an enterprise’s business processes and functions and categorizes them
based on criticality?
a. BCP Policy
b. Disaster Recovery statement
c. Business Impact Analysis
d. Reconstitution Strategy

40. The Business Continuity Plan includes a number of sub-plans. Which plan would provide
instructions on how to evacuate the facility safely in the immediacy of the disaster
a. COOP
b. Business Resumption Plan
c. Occupant Emergency Plan
d. Crisis Notification Plan

57
Open Systems Interconnection Model
1. Firewalls provide a wide range of functionality. Which is not a benefit of layer 3 firewalls vs. layer 7
firewalls?
a. Speed
b. Lower cost
c. Deeper packet inspection
d. Performance

2. In relation to firewalls and content inspection services, which layer of the OSI model allows for the
greatest granularity in filtering?
a. Application
b. Session
c. Network
d. Data link

3. Which layer provides a physical interface to the network?

a. 7
b. 5
c. 3
d. 1

4. Which layer 4 protocol manages the flow of data across a network?

a. UDP
b. TCP
c. IP
d. HTTP

5. Which OSI layer supports the universal formatting of data?

a. Presentation
b. Application
c. Session
d. Transport
6. Which layer should be inspected to determine if a system initiated a session?
a. 4
b. 5
c. 6
d. 7
7. Data is referred to by different terms depending on the header information that has been added. At
layer 3, information such as IP source and destination addresses are included in the header. What is
the name for data and its headers at this layer?
a. Segment
b. Frame
c. Packet
d. Signal

8. Which layer 3 protocol is responsible for addressing packets?

a. UDP
b. TCP
c. IP
d. HTTP

58
9. Which organization developed the OSI Model?
a. ISO
b. IANA
c. IETF
d. TCSEC

10. Which layer supports the operation of a router?

a. 1
b. 2
c. 3
d. 4
11. Point to Point Protocol (PPP) provides framing of packets. Which OSI layer supports the operation
of PPP?
a. 6
b. 4
c. 2
d. 1
12. What does OSI stand for?
a. Open Systems Interconnection
b. Open System Initiative
c. Open Standards Initiative
d. Open Standards International

13. Which OSI layers support the operation of routers?

a. 1 through 3
b. 2 through 4
c. 3 through 5
d. 4 through 7
14. When people talk about the upper layers of the OSI model, which layers are they likely to be
referring to?
a. Transport through Application
b. Network and Transport
c. Physical and Data link
d. Physical through Application

15. A ping flood exploits the ICMP protocol. Which OSI layer is affected by this attack?
a. Physical
b. Transport
c. Network
d. Application
16. Which OSI layer supports the setup, maintenance, and teardown of a connection from a client to a
server?
a. Network
b. Transport
c. Data link
d. Session

17. Which layer supports non-repudiation, digital signatures, and certificates?

a. Layer 7
b. Layer 6
c. Layer 5
d. Layer 4

59
18. Which OSI layer supports the detection of Ethernet collisions?
a. Physical
b. Data link
c. Network
d. Transport

19. Packet filter firewalls operate at layer 3 of the OSI model. Which information is used to determine
if traffic is allowed?
a. Initiation of session
b. Content
c. Active Directory groups
d. IP address

20. Which type of addressing is used by layer 2 switches?

a. Physical
b. Session
c. LLC
d. MAC

21. Which layer supports web proxies?

a. Application
b. Session
c. Presentation
d. Transport

22. Which layer of the OSI model is compromised by ARP poisoning?

a. Physical
b. Data link
c. Network
d. Transport
23. OSI layer would support a web content-filtering device?
a. Layer 1
b. Layer 3
c. Layer 5
d. Layer 7
24. Which OSI layer provides the protocols that support user operations?
a. Presentation
b. Transport
c. Application
d. Session

25. Which layer contains the Media Access Control sublayer?

a. 1
b. 2
c. 3
d. 4

26. What header information is added at layer 3?

a. Port
b. IP address
c. MAC address
d. Session ID

60
27. Which layer is responsible for multimedia formats?
a. Presentation
b. Application
c. Session
d. Transport

28. Which OSI layer supports the operation of IP, ICMP, IGRP, IGMP, IPsec, IKE, and ISAKMP?
a. Network
b. Transport
c. Data link
d. Application

29. Which layer supports connection-oriented communication?

a. Layer 7
b. Layer 6
c. Layer 5
d. Layer 4

30. How many layers does the OSI Reference Model contain?
a. 7
b. 6
c. 5
d. 4

31. Many times people mistakenly refer to twisted pair cabling as “Ethernet Cable”. However, Ethernet
technology and cables function at different layers of the OSI. At which layer does cable function?
a. 1
b. 2
c. 3
d. 4
32. Which layer of the OSI model does not support any protocols?
a. Session
b. Application
c. Transport
d. Presentation

33. A SYN flood exploits the TCP handshake. Which OSI layer is targeted in this attack?
a. Network
b. Transport
c. Data link
d. Application

34. Which OSI layers support the operation of SSL?

a. 1 through 3
b. 2 through 4
c. 3 through 5
d. 4 through 7

61
35. At layer 7, data is being prepared to be transmitted. Header information is added at each layer
traveling downward towards layer 1. On the receiving end, headers are stripped away as the data
flows upward towards the user. What is the process called when headers are stripped away?
a. Encapsulation
b. Decapsulation
c. Encryption
d. Decryption

36. Which layer of the OSI model supports port numbers?

a. Data link
b. Network
c. Session
d. Transport

37. Which layer does not provide sophisticated functions, and only provides a physical path for signals
to travel?
a. 7
b. 5
c. 3
d. 1

38. The OSI model is a peer-to-peer model. What does this mean?
a. Headers added at a layer on the sending computer are needed by the same layer on the
receiving computer
b. Headers added at a layer on the receiving computer are needed by the same layer on the
sending computer
c. The OSI model was designed for peer-to-peer networks
d. Each layer acts as a peer to its upper and lower models

39. Which two sublayers are part of the data link layer?
a. MAC and CDP
b. IP and LLC
c. MAC and LLC
d. RTP and PPP

40. Which functionality does a layer 3 switch have compared to a layer 2 switch?
a. Uses IP addresses
b. Uses MAC addresses
c. Uses session-based information
d. Analyses content

62
TCP/IP
1. What is the default subnet mask for a Class A network?
a. 255.0.0.0
b. 255.255.0.0
c. 255.255.255.0
d. 255.240.0.0

2. Your organization supports a legacy application that uses NetBIOS. Which type of server is needed
to interface with this application?
a. RAS
b. DNS
c. WSUS
d. WINS

3. What command(s) would be used to send a continuous stream of packets to a target IP address?
a. ping -t
b. ping -l
c. ping localhost
d. netstat -ano

4. RIP uses what as its metric?

a. MTU
b. Delay
c. Bandwidth
d. Hops

5. The first 3 packets in the capture below are known as:

a. UDP 3-way handshake
b. SYN response
c. TCP 3-way handshake
d. This is an example of TCP windowing

6. RIP is an example of what kind of routing protocol?

a. Path vector
b. Static routing
c. Link-state
d. Distance vector

7. OSPF is an example of what kind of routing protocol?

a. Distance vector
b. Static routing
c. Link-state
d. Path vector

63
8. Use the following output from netstat to answer the following question: What services are currently
listening on this workstation?

a. RDP
b. HTTP
c. HTTPS
d. NTP
9. You have been tasked with finding a subnet mask large enough to accommodate an address space
of 1000 addresses as efficiently as possible. What subnet mask do you use?
a. 255.255.255.0
b. 255.0.0.0
c. 255.255.252.0
d. 255.255.0.0
10. What process ID is associated with remote desktop protocol on this workstation?

a. 980
b. 4
c. 1764
d. 3389

64
11. Which protocol is used by ping and tracert?
a. ICMP
b. IGMP
c. IMAP
d. HTTP

12. What routing protocol would be used by an organization to connect to an ISP?

a. BGP
b. OSPF
c. IGMP
d. RIP

13. The default port for http is which of the following:

a. tcp 25
b. tcp 23
c. tcp 80
d. tcp 443

14. What type of record is used for DNS reverse lookup?

a. MX
b. SOA
c. PTR
d. SRV

15. Your workstation is having a TCP conversation with another node across TCP port 80. Your
machine receives a TCP segment with the header checksum 0x5149. Your machine calculates the
checksum for that segment as 0x6372. What will your workstation do to the TCP segment?
a. Nothing.
b. The workstation will reset the TCP connection.
c. The segment will be discarded.
d. Your machine will drop the connection to the opposite server and not reestablish
communication with it.

16. Convert hexadecimal number FF to decimal:

a. 127
b. 255
c. 256
d. 512

17. Convert 210 to binary notation

a. 01111111
b. 10000000
c. 11010010
d. 11100010

18. Convert the binary number 01101101 to decimal

a. 111
b. 127
c. 108
d. 109

65
19. Your organization supports a legacy application that uses NetBIOS. Which type of server is needed
to interface with this application?
a. RAS
b. DNS
c. WSUS
d. WINS

20. A customer has called in complaining about not being able to connect to network resources on
their workstation. You ask for their workstation’s hostname and try to ping it. Your pings are
unsuccessful. You instruct the customer on how to find their IP address and they report it as
169.254.36.237. What issue is affecting the customer at this time?
a. They are not connected to the network.
b. They are connected to the network, but their workstation hasn’t picked up an IP address
from the network’s DHCP server.
c. Their firewall is misconfigured to block DNS messages.
d. The NIC driver needs to be updated.

21. When a packet leaves a workstation for a destination on another network, which MAC address is
needed to get the packet to its destination?
a. The MAC address of the sending workstation
b. The MAC address of the destination node
c. The MAC address of the source workstation’s default gateway
d. The MAC address of the destination router

22. In order to communicate with other nodes, workstations need IP addresses. An automated method
of assigning IP addresses to workstations is called:
a. POST
b. ARP
c. RARP
d. DHCP

23. OSPF is an example of what kind of routing protocol?

a. Distance vector
b. Static routing
c. Link-state
d. Path vector

24. What is the purpose of a subnet mask?

a. The subnet mask allows a workstation to know which part of the MAC address is the
network portion and which part is the host portion
b. The subnet mask filters incoming packets according to a configured policy
c. The subnet mask divides the IP address into a network portion and a host portion
d. The subnet mask allows the workstation to know which part of the MAC address is the OUI
and the Device ID

25. Which protocol is used by ping and tracert?

a. ICMP
b. IGMP
c. IMAP
d. HTTP

66
26. What type of DNS record is used to specify mail servers?
a. Mail slots
b. AAAA
c. A
d. MX

27. Convert the CIDR notation /26 to dotted decimal notation?

a. 255.255.255.0
b. 255.255.255.128
c. 255.255.255.192
d. 255.255.255.224

28. You are assisting an application developer with filling out a load balancing request. The
developer wants all http requests to be forwarded to the default https port. How would you
advise the developer to fill out the request?
a. The load balancer should listen on tcp port 443 and forward to tcp port 80
b. The load balancer should listen on tcp port 80 and forward to tcp port 445
c. The load balancer should listen on tcp port 80 and forward to tcp port 443
d. The load balancer should listen on tcp port 80 and forward to tcp port 80

29. You have been tasked with finding the routers that have been installed between two networks.
What utility would you use to provide this information?
a. tracert
b. ipconfig
c. route PRINT
d. route CHANGE

30. You have been tasked with finding a subnet mask large enough to accommodate an address
space of 1000 addresses as efficiently as possible. What subnet mask do you use?
a. 255.255.255.0
b. 255.0.0.0
c. 255.255.252.0
d. 255.255.0.0

31. For which of the following is TCP NOT noted for?

a. Flow control
b. Connectionless communication
c. Connection-oriented communication
d. Error notification

32. Why do nodes need to use ARP to communicate effectively?

a. ARP enables a workstation to receive IP address, subnet mask, and default gateway
information automatically from a central server
b. ARP resolves host names to IP addresses
c. ARP resolves host names to MAC addresses
d. ARP resolves IP addresses to MAC addresses

33. RIP uses what as its metric?

a. MTU
b. Delay
c. Bandwidth
d. Hops

67
34. What is the address range for a private Class A network?
a. 8.0.0.0-8.255.255.255
b. 192.168.0.0-192.168.255.255
c. 172.15.0.0-172.32.255.255
d. 10.0.0.0-10.255.255.255

35. What is the last assignable address on the 192.168.50.0 255.255.255.248 network?
a. 192.168.50.7
b. 192.168.50.6
c. 192.168.50.254
d. 192.168.50.8

36. Your colleague is having trouble converting CIDR notation to regular decimal format. He has
been tasked to find the decimal format subnet mask for a /23 network. What do you tell him?
a. 255.255.255.0
b. 255.255.255.128
c. 255.255.0.0
d. 255.255.254.0

37. What is the broadcast address of 192.168.30.64?

a. 192.168.30.65
b. 192.168.32.255
c. 192.169.30.127
d. 192.168.30.128

38. A device which forwards frames based on MAC addresses is called:

a. Router
b. Framer
c. Application gateway
d. Switch

39. What is the maximum number of hosts on the 192.168.50.0 255.255.255.252 network?
a. 2
b. 4
c. 254
d. 12

40. What command(s) would be used to send a continuous stream of packets to a target IP address?
a. ping -t
b. ping -l
c. ping localhost
d. netstat -ano

68
Network Fundamentals
1. What is the network ID of the following IP address? 192.168.1.1 255.255.255.0
a. 192.0.0.0
b. 192.168.0.0
c. 192.168.1.0
d. 192.168.1.1

2. Collision domain isolation is performed by which device?

a. Hub
b. Switch
c. Router
d. Bridge

3. Which RAID offers no fault tolerance?

a. RAID 0
b. RAID 1
c. RAID 5
d. RAID 10

4. Storing data or hosting services or software with providers accessed through the internet is referred
to as using a ___________provider
a. Cloud
b. Host
c. Storage
d. Mobile

5. What is the network authentication protocol that is ticket based and provides mutual
authentication?
a. NTLM
b. Active Directory
c. Kerberos
d. DHCP
6. A host has an IP Address of 169.254.1.1. What does this indicate
a. DHCP server is unavailable
b. DNS is unavailable
c. Active Directory is unavailable
d. Group Policy is unavailable

7. When a client reaches their default gateway, which hardware device are they accessing?
a. Switch
b. Proxy
c. Router
d. VLAN

8. A common means of connecting one site to another for the purpose of access and information
sharing is known as _____________
a. Dial-up
b. LAN Extension
c. A VPN
d. Extranet

69
9. Resolving a user-friendly name to an IP address is performed by which service?
a. DHCP
b. DNS
c. RAS
d. IPSec

10. Why are the individual wires twisted in twisted pair cable?
a. To prevent crosstalk
b. To increase the distance signal can travel
c. To increase the speed data can travel
d. To increase distortion

11. Windows authentication database is called __________-

a. Security Accounts Manager
b. Realm Directory
c. Security Directory
d. Active Directory

12. A user can ping a host by IP address, but not by name. What is likely the problem?
a. DHCP
b. ARP
c. ICMP
d. DNS

13. What type of addressing do switches use?

a. MAC addresses
b. IP Addresses
c. IPX Addresses
d. VLAN Addresses

14. In order to obtain an IP address automatically, what service should be used?

a. DHCP
b. DNS
c. RAS
d. IPSec

15. The open protocol that is in use on most networks, including the internet is called ________
a. TCP/IP
b. IPX/SPX
c. Netbeui
d. Powershell

16. The minimum length for a password on a medium security network should be is
__________characters
a. Four
b. Eight
c. Twelve
d. Fifteen

70
17. What is the type of cable most commonly in used in local networks today?
a. Coaxial
b. Unshielded Twisted Pair
c. Fiber Optic
d. Thin net

18. What type of network can span a large geographical area?

a. LAN
b. WAN
c. MAN
d. PAN

19. What is a way to limit the ability of an attacker to guess user passwords?
a. Enforce complexity requirements through group policy
b. Trust users to create good passwords and protect them
c. Encourage users to write passwords down
d. Assign passwords to users and force them to change the passwords at first login

20. In order to connect to an IP network what must be configured?

a. DNS Server address
b. IP address and Subnet mask
c. Default Gateway
d. DHCP

21. Broadcast traffic goes to which systems on a network

a. The system addressed
b. Systems with a need for that information
c. A select group of systems
d. All systems

22. In relation to IP addressing, what indicates the portion of the address that is network id and the
portion that is host id?
a. Frame mask
b. Element id
c. Subnet mask
d. Packet

23. Which of the following is a protocol that might be used in a VPN?

a. IPSec
b. TCP
c. ICMP
d. FTP

24. What is the best way to guarantee redundancy of data?

a. RAID
b. Clustering
c. Backups
d. Load balancing

71
25. What is the address that is bound to a network card and should not change regardless of where
the device is located?
a. MAC address
b. IP address
c. Frame Address
d. DNS Address

26. What is the type of network limited to a building or campus?

a. LAN
b. WAN
c. MAN
d. PAN

27. In a windows environment, authentication servers are referred to as _____

a. Realm Controllers
b. Access Systems
c. Domain Controllers
d. Firewalls

28. When is Group Policy applied to a computer?

a. Startup
b. Shutdown
c. Intermittently throughout the day
d. Immediately, as soon as the policy is created

29. A means of distributing security rules and configuration to multiple systems is through the use of
____________
a. Access lists
b. Group policy
c. Firewalls
d. Routers

30. Access of resources on a network is generally controlled through

a. ACLs
b. RAS
c. Isolation
d. Group Policy

31. What service does a VLAN Provide?

a. Collision isolation on a switch
b. Broadcast isolation on a switch
c. Framing
d. Connection to another network

32. An area of the network that is segmented from the LAN that is reserved for systems to which the
public will have access (for instance, web servers) is called _____________
a. Intranet
b. DMZ
c. Public domain
d. Subnet

72
33. In order to limit the disclosure of data on a network, which process is helpful?
a. Encryption
b. Enumeration
c. Elevation
d. Escalation

34. What protocol would be used for clients to access email?

a. IPSec
b. SNMP
c. POP 3
d. RTP

35. The means that allows a user to log-in once to the domain and access many resources is called
a. Super Sign-on
b. Single Sign-on
c. Peer-to-Peer networking
d. Open Access

36. What utility is used to show a host’s IP address, Subnet Mask, and default gateway?
a. PING
b. Telnet
c. SSH
d. Ipconfig

37. A means of providing redundancy for hard drives is called

a. RAID
b. Data backups
c. Load Balancing
d. Hot Swappable drives

38. What protocol is responsible for transmitting mail from one mail server to another?
a. IPSec
b. SNMP
c. SMTP
d. RTP

39. What is the protocol which PING uses?

a. ICMP
b. IGMP
c. IGRP
d. IMAP

40. A common problem with network cable is that signal degrades over distance. What is this called?
a. Amplification
b. Distortion
c. Attenuation
d. Elimination

73
Fundamental System Security
1. Which technology prevents unauthorized viewing of databases?
a. Cloud encryption
b. Database encryption
c. Mobile device
d. Individual file encryption

2. Which technologyh allows a PC to contain multiple operating systems that can only be used one at
a time?
a. Hypervisor
b. MultiBoot
c. System boot
d. Safe mode

3. Which type of data must be protected from unauthorized access?

a. Financial
b. Healthcare or PII
c. Trade secret
d. All of the above

4. What is the best location for spare devices and documents?

a. On the desk
b. Office bulletin board
c. In a safe
d. In the trash

5. When is the best time to write secure code in application development?

a. Don’t worry about it
b. The beginning
c. When you are over halfway finished
d. After it has been deployed, you can always patch it with updates

6. Which process typically takes less time, server-side validation, or client-side validation?
a. Both are equal
b. Server-side validation
c. Client-side validation
d. Neither

7. Which technology allows data access from the Internet?

a. Cloud
b. Server
c. File Folder
d. Google Docs

8. What does anti-malware not protect against?

a. Trojans
b. Social engineering attack
c. Virus
d. Worm

74
9. Can all removable media support encryption?
a. Yes
b. No
c. 0
d. 0

10. How would an end user prevent a XSS (cross-site scripting) attack?
a. Use anti-malware or anti-spyware programs
b. Input validation
c. Deploy security patches based on the signatures of malware
d. Take password off the computer

11. What should be used to print sensitive data?

a. Office printer
b. Send it to the cloud
c. Use a local printer
d. None of the above

12. Which technology can be used to erase a lost or stolen mobile device?
a. Device encryption
b. Remote wipe
c. Remote backup
d. Police mode

13. Multiple virtual machines with different operating systems can be used at the same time.
a. TRUE
b. FALSE
c. 0
d. 0
14. Which state is data in when sending an email?
a. Data in motion
b. Data in use
c. Data at rest
d. All of the above

15. Which item describes a text file pushed to your system to log your user preferences?
a. Brownie
b. Spyware
c. Cookie
d. Malware

16. Which type of attacks will fuzzing protect against?

a. SQL injections
b. Buffer overflows
c. XML attacks
d. All of the above

17. Which feature allows tracking a lost or stolen mobile device?

a. GPS
b. STS
c. GTS
d. Phone Finder 2.0

75
18. Which control prevents unauthorized use of a mobile device?
a. Screen saver
b. Screen lock
c. Screen protector
d. Phone case

19. Which technology is a specialized crypto processor designed to address large encryption
calculations?
a. HSM
b. SLM
c. TMP
d. DDOS

20. Which role is responsible for application patch management?

a. End user
b. Administrator
c. IT intern
d. Your office neighbour

21. Which technology will protect data in motion?

a. SSL
b. SSH
c. TLS
d. All of the above

22. How do systems get infected with malware?

a. Connecting online
b. Sharing usb drives
c. Sharing hard drives
d. All of the above

23. Which technology protects our email inbox from malicious users?
a. Anti-malware software
b. Anti-spam or spam filters
c. Anti-spyware
d. Pop-up blockers

24. If an hard disk is encrypted, why would file encryption also be required?
a. In case the file will be sent over the Internet
b. In case the file will be moved to another hard drive
c. In case the file will be copied to a USB device
d. All of the above

25. Which process should be used to remove PII from a mobile device?
a. Sterilization
b. Recycling
c. Sanitization
d. deletion

76
26. What is the best form of security for lost or stolen mobile devices?
a. Device encryption
b. Screen lock
c. passwords
d. Screen protector

27. What type of firewall can be used by Windows?

a. Hardware
b. Software
c. Host based
d. Both B and C
28. How would an end user prevent a CSRF attack?
a. Install certain browser add-ons
b. Delete temporary files
c. Keep browser updated
d. All of the above

29. What practice nullifies any code or scripts provided by a user?

a. Output validation
b. Input validation
c. Script nullification
d. Input nullification

30. Which technology prevents adware?

a. Anti-malware software
b. Anti-spam or spam filters
c. Anti-spyware
d. Pop-up blockers

31. Which areas of an organization save money by using virtualization?

a. Physical space
b. Hardware and computers
c. Licenses
d. All of the above

32. What is the name of Microsoft’s cloud storage solution?

a. Dropbox
b. iCloud
c. OneDrive
d. Google Drive

33. How could an organization prevent users from taking office laptops home?
a. Cable lock
b. Locking cabinets
c. Safe
d. An anchor

34. Using Application Patch Management what step should be taken first?
a. Validate that patch is from the correct manufacturer
b. Test the patch
c. Migrate the patch to user’s computer for use
d. none of the above

77
35. Which type of encryption works on an entire hard drive?
a. Full disk
b. Database
c. Removable media
d. Mobile device

36. What would be affected if the configuration of items in locking cabinets was changed?
a. Confidentiality
b. Integrity
c. Availability
d. None of the above

37. Which is not a valid data state?

a. Data in motion
b. Data in use
c. Data in space
d. Data at rest

38. Which state is data in when being copied or printed?

a. Data at rest
b. Data in motion
c. Data in use
d. All of the above

39. Which technology is used by large organizations to manage their data?

a. Security Incident Event Managers
b. Cloud Services
c. Storage Area Networks
d. File Cabinet

40. Which software allows the use of virtual machines?

a. Supervisor
b. Hypervisor
c. VM system manager
d. Virtual manager

78
Communication and Network Security
1. What is A type of malicious code that lays dormant until logical event occurs?
a. Logic Bomb
b. Time Bomb
c. Net Bomb
d. Logic Worm

2. What happens at the data Link Layer?

a. ARP Resolutino
b. error detections
c. Media Access Control
d. All of the above

3. What is an Attack that involves someone changing the physical address and replacing it with the
desired attackers server?
a. MAC Spoofing
b. WiredSpoofing
c. RFI Attack
d. ARP Posioning

4. As you move up the OSI Model you gain intelligence for your devices and lose ______?
a. Security
b. Money
c. Speed
d. a lot

5. What is a way to block a SMURF attack?

a. Block ICMP
b. Block Directed Broadcasts
c. Block IP
d. Both A&B

6. What is the most commonly used physical topology?

a. BUS
b. Ring
c. Star
d. Mesh

7. What layer of the OSI model do NICs operate?

a. Physical
b. Application
c. Data Link
d. Both A&C

8. What protocol is behind echoing utilities like PING and TraceRoute, and is also frequently exploited?
a. ICMP
b. IP
c. IKE
d. IGMP

79
9. What layer switch is necessary for inter-VLAN communications?
a. 2
b. 4
c. 1
d. 3

10. A CSRF is an example of what attack?

a. Session Hijacking
b. Virus
c. Time Bomb
d. Salami

11. What do we use to get broadcast isolation?

a. Switches
b. Routers
c. Hubs
d. ARPS

12. What is a controversial computer program designed for remote system administration. It enables a
user to control a computer running the Microsoft Windows operating system from a remote location.
The name is a play on words on Microsoft BackOffice Server software?
a. Net Bus
b. Back Orifice
c. SubSeven
d. Notepad ++

13. What type of non flex cable, where speed was originally limited to 10mbps and though it may be
more secure than some, it is still susceptible to vulnerabilities?
a. Coaxial
b. Twisted Pair
c. Fiber Optic
d. Time Warner

14. Gigabit Ethernet uses what cable?

a. CAT3
b. CAT 5
c. RG-6
d. All of the Above

15. What physical topology is the most fault tolerant and fully redundant?
a. Bus
b. Ring
c. Star
d. Mesh

16. What OSI Data Link Layer and Physical layer map to on the TCP/IP layer?
a. Application
b. Network Access
c. Host to Host Transport
d. Internet

80
17. What do you need to get broadcast isolation on a switch?
a. Router
b. Hub
c. VLAN
d. LAN

18. What type of Media Access Control resembles a classroom, with everyone having an open forum
to ask questions, without raising their hands?
a. CSMA/CD
b. CSMA/CA
c. Token Passing
d. Token Taking

19. What does not happen on the Presentation Layer?

a. data transfer
b. Formatting
c. Compressing
d. Encryption

20. What is an example of a Backdoor program?

a. Netbus
b. Subseven
c. Back Orifice
d. All of the above

21. Do all switches support VLAN?

a. Yes
b. No
c. 0
d. 0

22. Name this Attack: Type of attack that exploits the three way handshake of TCP. Layer 4 attack.
Stateful firewall is needed to prevent.
a. Salami
b. Trojan Horse
c. Syn flood
d. none of the above

23. What is similar to a virus, but does not need a host and is self replicating?
a. Time Bomb
b. Wardialing
c. Worm
d. Session Hijacking

24. What is the best defense for a Sniffing attack?

a. Block UDP
b. Block ICMP
c. Delete Cookies
d. Encryption

81
25. On What OSI layer does a Smurf attack happen?
a. Layer 4
b. Layer 3
c. Layer 5
d. Could happen on any layer

26. What type of Fiber Optic Cable is used for communications over short distances?
a. MultiMode
b. Single Mode
c. CAT5
d. RG-59

27. What is not a layer of the TCP/IP Model

a. Network Interface Layer
b. Host to Host Transport Layer
c. Application layer
d. Data Link Layer

28. What is the best thing a Hub can do?

a. Provide Security
b. Send and Recieve Data efficiently
c. Seperate Data on all protocols
d. operate inexpensively

29. You have been asked to perform a side assessment for your new data center, and to recommend
the type of cabling to be used, What Cabling do you use, keeping in mind your boss has asked you to
keep costs low?
a. Coaxial
b. Twisted Pair
c. Twisted Group
d. Fiber Optic

30. What is overwhelming a system with a multitude of pings?

a. Ping Ponging
b. Pinging
c. Ping Flooding
d. Ping Bombing

31. What is not a Sub-layer of the Data Link Layer?

a. Logical Access Control (LA
b. Logical Link Control (LL
c. Media Access Control (MA
d. All of the Above

32. How many layers are in the TCP/IP Model

a. 4
b. 7
c. 9
d. 5

82
33. What is not an aspect of the Application layer?
a. Application Proxies
b. Switches
c. Content Inspection
d. Non-Repudiation

34. For the purpose of our study, what is the only protocol that starts with the letter (I), that does not
function at layer 3?
a. ICMP
b. IP
c. IKE
d. IMAP

35. What is an example of layer 7 protocol?

a. HTTP
b. FTP
c. SNMP
d. All of the Above

36. Is a SMURF attack a DDOS attack?

a. YES
b. no, phishing
c. no, BIOS
d. no, Brute Force

37. What layer of the TCP/IP Model and OSI Model would you find a kernel firewall?
a. Network Access(TCP/IP) and Data Link (OSI)
b. Network Access(TCP/IP) and Physical(OSI)
c. Application(TCP/IP) and Application(OSI)
d. Application(TCP/IP) and Presentation(OSI)

38. What is not true of Switches?

a. Layer 2 device
b. Isolates Broadcast Traffic
c. Isolates Collision Domains
d. Uses Mac Addresses

39. What happens on the session layer?

a. Set up of a connection/session
b. Maintenance of a connection/session
c. Tear down of a connection/session
d. All of the above

40. What is the least secure type of cable?

a. Coaxial
b. Twisted Pair
c. Multi Mode Fibre Optic
d. Single Mode Fibre Optic

83
Network Devices
1. Promiscuous Mode on a Network Interface Card allows
a. Allows a NIC to pick up any traffic regardless of destination MAC address
b. Allows a NIC to communicate even if other systems communicating at the same time
c. Allows a switch to broadcast using ARP
d. Detect collisions

2. [Access-list 102 deny TCP any any eq 23] serves what purpose on a router or firewall?
a. Blocks all tcp traffic
b. Blocks TCP traffic but allows traffic on port 23
c. Blocks all telnet traffic
d. Limits remote connections to 23 connections

3. A Troubleshooting utility used to track traffic as it hops across routers and to determine at what
point is experiencing delays for remote traffic
a. PING
b. Traceroute
c. Redirect
d. Hops

4. What does WPA II Enterprise indicate?

a. Support for RADIUS and AES
b. RADIUS and RC-4
c. TKIP and AES
d. Backwards compatibility

5. Which mode of IPSec is incompatible with Network Address Translation (NAT)?

a. AH
b. ESP
c. Tunnel Mode
d. Transport

6. What are the default connections for MOST home routers and access points?
a. IP: 192.168.0.1 administrative account: admin, password: admin (or password)
b. IP: 10.10.10.1 administrative account: administrator, password: admin (or password)
c. IP: randomly assigned, administrative account: administrator, password: admin (or
password)
d. IP: dynamically assigned, administrative account: admin, password: admin (or password)

7. Which of the following are vulnerabilities of WEP?

a. Dynamic key negotiation
b. Uses AES for encryption
c. Self-synchronizing
d. Uses a weak implementation of RC-4

8. Which can a layer 3 firewall use to allow or block traffic?

a. username
b. Network time
c. IP address
d. MAC addresses

84
9. What are the characteristics of a router?
a. Broadcast domain isolation
b. Use of Fully Qualified Domain Names
c. Use of MAC addresses
d. Shared broadcast domains

10. To configure a switch to allow the effective connection of an Intrusion Detection System, what
must be configured on the switch?
a. Promiscuous mode
b. Port Span
c. Network Address Translation
d. Port Address Translation

11. How does MAC Flooding compromise a switch?

a. It overwhelms a switch’s table mapping MAC addresses to ports, therefore forcing a switch
to send all data out all ports until it learns the network again.
b. It compromises the IP Table and allows data breach
c. It deletes all VLANs established on the switch
d. It is a denial of services attack that renders user unable to transmit data through the switch

12. What underlying protocol does RADIUS use?

a. TCP
b. UDP
c. ARP
d. ADP

13. The Defense against XSS, and Code Injection includes

a. Input validation
b. Packet Filter
c. Anti-virus program
d. Web Server with Anti-virus

14. Routers by default:

a. Provide automatic IP Assignments
b. Deny All
c. Provide Connectivity between networks
d. Provide filtering

15. What is the main purpose of a VLAN—single answer?

a. To enhance the performance of traffic on the network
b. To provide communication across subnets
c. To provide broadcast isolation on a switch
d. To eliminate the need for automatic IP addressing

16. What is the purpose of Network Access Control (NAC)

a. To provide translation between internal and external addresses
b. To inspect health of clients and make access decisions based on that information
c. To protect internal hosts from external threats
d. To provide remediation services to clients with viruses

85
17. What is the main purpose of a router—single answer?
a. To provide broadcast isolation
b. To allow systems to connect on a local subnet
c. To provide high-end packet inspection at layer 7
d. To provide content inspection from trusted networks to untrusted

18. An inherent weakness in Telnet is that___

a. It is slower than other remote administration services/protocols
b. It’s sequence numbers do not provide enough randomness
c. Credentials are transmitted in clear text
d. Has a great deal of built in security, and therefore it is very slow

19. Which of the following devices that might reasonably be located in a DMZ?
a. Domain Controller
b. Key Distribution Center
c. Web Server
d. LDAP server

20. Which of the following proxies can provide content filtering?

a. Layer 5
b. Packet Filters
c. Layer 5 Stateful Proxies
d. NAT devices

21. The success of a Network Access Control server depends on the client ability to
a. Provide proof of health
b. Respond to authentication requests
c. Quickly remediate problems
d. Access

22. What is the main purpose of a VLAN?

a. To enhance the performance of traffic on the network
b. To provide communication across subnets
c. To provide broadcast isolation on a switch
d. To allow implementation of security rules and ACLs
e. To eliminate the need for automatic IP addressing

23. VPNs frequently use which of the following protocols?

a. IPSec
b. HTTP
c. FTP
d. TFTP

24. How can a rogue DHCP server be detected/mitigated?

a. DHCP scanning configured on the client
b. Server-based authentication of DHCP Server
c. Configure DHCP address manually on the client
d. DHCP snooping configured on the switch

86
25. In order to connect to an IP network, what configuration is MANDATORY?
a. DHCP
b. IP of Domain Controller
c. Broadcasts
d. IP address and Subnet Mask

26. How would an “evil twin” attack be carried out?

a. Cache poisoning in DNS
b. A Wi-fi access point named the same as a legitimate access point
c. Using DHCP to point to point clients to a rogue router rather than a legitimate one.
d. By spoofing MAC addresses

27. What is the most essential function of a packet filtering firewall

a. To provide network address translation
b. To connect two disparate networks
c. To provide deep packet inspection
d. To separate out trusted from untrusted

28. Why does a router offer better functionality than a VLAN implementation on a standard switch?
a. Routers are cheaper than switches
b. Routers are faster than switches
c. Routers allow intra-VLAN communications
d. Standard switches are layer 2 and designed to use MAC addressing while, Routers (or layer
3 switch) can allow the VLAN to communicate with each other

29. Why are hubs obsolete today

a. Hubs present a security risk by isolating collision domains
b. Hubs present a security risk by not isolating collision domains
c. Hubs use MAC addressing, which aren’t used today
d. Routers are much more efficient and cheap at providing similar capability

30. Devices that would inspect traffic destined for the DMZ would be
a. DNS Server
b. Honey Pot
c. Web Application Firewall
d. Proxy Server

31. The purpose of isolating collision domains is to

a. Limit the number of connections on a subnet
b. Reduce the number of hosts trying to communicate at any given time on a network
segment
c. Limit the number of broadcasts on any given segment
d. Allow hosts to announce their intention to transmit data, rather than having them transmit
simultaneously resulting in a collision

32. Implicit Deny on a firewall is also known as

a. Whitelisting
b. Blacklisting
c. Elimination filtering
d. Rules-based access control

87
33. An IDS that requires a baseline of the network is called
a. Behavior-based
b. Definition-based
c. Signature-based
d. Statistical

34. What is the difference in a forward proxy and a reverse proxy?

a. A forward proxy intercepts external traffic coming into the network while a reverse proxy
intercepts internal traffic going out
b. A reverse proxy intercepts external traffic coming into the network while a forward proxy
intercepts internal traffic going out
c. A reverse proxy is used to provide NAT Service, while a forward proxy is geared more
towards traffic inspection
d. A forward proxy can be used to analyze spoofing attempts and is often used in lieu of a
firewall

35. Which is the main benefit of a traditional, layer 2 switch

a. Collision domain isolation
b. Broadcast domain isolation
c. Use of IP addresses
d. Packet filtering

36. Which Wireless encryption standard was the first to require WPA II?
a. 802.11a
b. 802.11b
c. 802.11 n
d. 802.11ac

37. What is the reason we use a firewall on a network?

a. To separate “trusted” from “untrusted”
b. To provide greater bandwidth and QoS where needed
c. To increase the size of collision domains
d. To increase the size of broadcast domains

38. In a typical network environment, how do client systems know how to contact a domain controller
to authenticate
a. They are manually configured with the domain controller’s address
b. DHCP provides the address
c. DNS Provides the address through the use of its SRV records
d. The client broadcasts a request

39. What inherent weakness is present in DHCP

a. DHCP relies on IPv6, so if IPv6 is not enabled, the service won’t work
b. Even an authorized server is incapable of assigning IP addresses from multiple scopes
c. Scopes are difficult to disable, which leads to the possibility of an incomplete addressing
scheme being delivered
d. DHCP Servers can be easily spoofed as clients never authenticate the identity of the DHCP
server (by default)

88
40. [Access-list 101 deny TCP 10.1.1.1 192.168.1.1 eq 22] serves what purpose on a router or firewall?
a. Blocks all SSH traffic from addresses 10.1.1.1 and 192.168.1.1
b. Blocks SCP traffic from 10.1.1.1 to 192.168.1.1
c. Blocks all SSH Traffic from 192.168.1.1 to 10.1.1.1
d. Blocks ALL traffic from 10.1.1.1 to 192.168.1.1

89
IDS/IPS
1. Which technology may be installed on a host is likely to negatively impact system performance?
a. NIDS
b. NIPS
c. HIDS
d. Sniffer

2. Which term best describes analysing the condition of systems and networks in order to remediate
any problems?
a. Proportionality of response
b. Passive defence
c. Active defence
d. None of the above

3. Where is the best location for an IDS in relation to a firewall?

a. Inside Behind the firewall
b. Outside the firewall
c. On the firewall
d. In the DMZ

4. Given the firewall rules below, what is the effect?

a. Traffic from 219.104.175.222 is denied access to the network

b. Traffic to 219.104.175.222 is allowed access to the network
c. All traffic is denied access to hosts on 219.104.175.0 network except 219.104.175.222
d. All traffic is denied access to all hosts on the 219.104.175.0 network

5. In order for a device to eavesdrop on communications, which of the following must be true?
a. The network device’s interface must be configured with a SPAN port
b. The network interface must be configured as a listener
c. The network interface must be configured in promiscuous mode
d. The device must be plugged into a switch

6. Which technology is required to block traffic coming into the network?

a. Ingress Filtering
b. Egress Filtering
c. Stateful filtering
d. Packet filtering

7. Which detection mechanisms are employed by an IPS?

a. Packet anomaly detection
b. TCP connection analysis
c. Generic pattern matching
d. All of the above

90
8. Which technology is required to block traffic leaving the network?
a. Ingress Filtering
b. Egress Filtering
c. Stateful filtering
d. Packet filtering

9. A new IDS is generating many irrelevant log entries. Which action would best remedy this problem?
a. Change the IDS to use a heuristic anomaly filter
b. Adjust IDS filters to increase the clipping levels
c. Change the IDS filter to data mine the false positives for statistical trending data
d. Adjust IDS filters to increase the number of false positives

10. In order to truly prevent an attack, how should an IPS be configured?

a. Inline
b. Passive
c. Promiscuous
d. Reset

11. How should a switch port be configured to monitor network traffic?

a. Configure a SPAN port
b. Open the port
c. Close the port
d. Configure flooding mode

12. Which type of malware modifies itself to avoid detection?

a. Metamorphic
b. Polymorphic
c. Armored
d. Stealth

13. Which IDS evasion technique uses a non-standard character set in order to avoid detection?
a. Confusion
b. Diffusion
c. Obfuscation
d. Masking

14. Which of the following is an advantage of anomaly detection?

a. Rules are easy to define
b. Custom protocols can be easily analyzed
c. Usually capable of detecting a zero-day attack
d. Malicious activity that falls within normal usage patterns is detected

15. Which of the following is true of a signature-based NIDS

a. They alert administrators to deviations from "normal" traffic behavior
b. They identify previously unknown attacks
c. They can inspect encrypted traffic
d. They scan network traffic and can only detect previously documented patterns

91
16. Which type of IDS cannot protect against a zero-day exploit?
a. Signature
b. Anomaly
c. Behavior
d. Heuristic

17. Which type of firewall only examines the packet header information?
a. Stateful firewall
b. Kernel proxy firewall
c. Packet-filter firewall
d. Application-level proxy firewall

18. How does an IPS differ from an IDS?

a. An IDS detects network attacks, but doesn't issue alerts
b. An IPS detects network attacks but doesn’t issue alerts
c. An IPS has a passive response while an IDS has an active response
d. An IDS has a passive response while an IPS has an active response

19. What is the difference between a packet-filter and an IPS?

a. An IPS is a passive device, whereas a packet filter is active
b. A packet filter is an inline device, whereas an IPS is not
c. A packet filter inspects packet headers and an IPS inspects the entire packet
d. An IPS only sends alerts and resets, but can’t actually block traffic

20. A protocol analyzer captured the traffic below. What type of traffic is it? INVITE
sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-
Forwards: 70 To: Bob From: Alice ;tag=1928301774 Call-ID: [email protected]
CSeq: 314159 INVITE Contact: Content-Type: application/sdp Content-Length: 142
a. Broadcast
b. VOIP
c. EMAIL
d. FTP

21. A WAF without customization will protect the infrastructure from which of the following attack
combinations?
a. DoS, DNS poisoning, and pharming
b. JavaScript and Active X controls
c. SQL injection, XSS, and HTTP exhaustion
d. SQL injection, browser hijacking, and clickjacking

22. Which type of IDS is most likely to generate false positives?

a. Anomaly-based
b. Signature-based
c. RFC-based
d. Knowledge-based

23. What is a false positive?

a. An IDS ignores an attack
b. The lack of an alert for malicious activity
c. An alert that accurately captures an attack
d. An IDS sends an alert about an attack, however no attack actually ocurred

92
24. Which of the following types of traffic would generate the below alert? alert icmp any any -> any
any (msg:"ALERT"; classtype:not-suspicious; sid:2000001; rev:1;)
a. TCP Syn/Ack
b. TCP Syn
c. TCP Ack
d. ping
e. All IP traffic

25. What is the technique called for of enumerating the ruleset of a firewall?
a. Firewalking
b. Firedumping
c. Firecracking
d. Firelisting

26. Which technology prevents internal systems from being used as zombies in an attack on another
network?
a. Ingress Filtering
b. Egress Filtering
c. IDS
d. Honeypot

27. Which type of IDS uses a “learning mode” to establish a network traffic baseline?
a. Signature-based
b. Anomaly-based
c. Rule-based
d. Knowledge-based

28. Circuit level firewalls operate at which layer of the OSI Model?
a. 3
b. 4
c. 5
d. 7

29. Which technique describes blocking all traffic except that which is explicitly allowed?
a. Open-listing
b. Closed-listing
c. Whitelisting
d. Blacklisting

30. Which of the following attacks will NOT be prevented by a WAF?

a. SQL Injection
b. Session Hijacking
c. Registry Modification
d. Buffer Overflows

31. Which device operates at layer 7 of the OSI model?

a. HIPS
b. NIPS
c. NAT
d. NIDS

93
32. Which statement correctly describes an insertion attack?
a. Injecting malicious code into the data stream in order to compromise a system
b. Another term for session hijacking
c. Adding spurious code to modify the attack’s signature without changing the payload
d. A type of buffer overflow

33. An IDS is known as a passive device. Which of the following is NOT a passive response?
a. Sending a TCP reset
b. Alerting an administrator
c. Creating an entry in a log file
d. Inspection of current traffic on the network

34. Which one of the following is true of a Host-based Intrusion Detection System? (HIDS)
a. It captures network traffic
b. Has a quick response with zero-day attacks
c. Recognizes and reports report alterations to the registry and data files
d. Alerts on to known intrusion patterns

35. Which of the following details pieces can NOT be examined by a packet-filter firewall?
a. IP
b. URL
c. Port
d. Protocol

36. Which device supports deep packet inspection?

a. Packet filter
b. Screening router
c. NAT
d. Proxy
e. Circuit-level Firewall

37. In the event of a conflict in the ruleset of a firewall, which rule will be applied?
a. The first rule
b. The last rule
c. The conflicting rules cancel each other out
d. Certain types of traffic are prioritized, which is used for conflict resolution

38. What is the purpose of a honeypot?

a. To flag attacks against known vulnerabilities
b. To help reduce false positives in a signature-based IDS
c. To serve as a decoy, and distract an attacker from the true assets of the organization
d. To lure users into a system so they can be prosecuted

39. A security administrator uses a honeypot to create a website in the DMZ, encouraging users to
“Click here for free music!!!”. The admin then pursues action for trespassing against those who click
the link. What is this technique called?
a. Enticement
b. Entrapment
c. Fourth amendment violation
d. An appropriate use of a honeypot

94
40. Which type of IDS requires a network performance baseline?
a. Signature-based
b. RFC-based
c. Knowledge-based
d. Anomaly-based

95
End User Security Fundamentals
1. An authentication server stores both the username and the password.
a. TRUE
b. FALSE
c. 0
d. 0

2. PII stands for

a. Personnel Ideal Information
b. Persons Identity Information
c. Personal Identification Information
d. Personally Identifiable Information

3. The difference between a DOS attack and a DDOS attack is _______

a. The number of attacking computers
b. The use of encryption-breaking software
c. The use of brute-force tactics
d. The use of violations of integrity

4. Which of the following is NOT a technical attack?

a. Keyloggers
b. Email Attachments
c. Social Engineering
d. USB attacks

5. An email with a known sender is safe from phishing.

a. TRUE
b. FALSE
c. 0
d. 0
6. Which of the following can NOT be used as PII?
a. First and Last name
b. High School Mascot
c. Email Address
d. Facebook Friends

7. Which of the following is NOT a good practice for defending PII?

a. Defer questions to those who you have authority over
b. Authenticate according to policy
c. Follow company policy
d. Do not leave PII unprotected

8. Which of the following is NOT a Cybersecurity Threat?

a. Common Persistent Threats
b. Outsider Threats
c. Insider Threats
d. Highly Organized Threats

96
9. Pretexting is synonymous with what?
a. Investigation
b. Impersonation
c. Interrogation
d. Infiltration

10. _______ dollars were lost in the Unites States last year due to cyber attacks.
a. 250 Million
b. 25 Billion
c. 250 Billion
d. 500 Billion

11. A digital signature provides assurance that the file has not been modified.
a. TRUE
b. FALSE
c. 0
d. 0

12. In terms of End User Security, what is Integrity?

a. Making sure we keep our data and our information private from those who do not "Need to
Know"
b. Making sure that we, our clients, and anyone else who needs access to the data has access.
c. Making sure that our data is useless to outsiders, through processes like encryption.
d. Making sure that our data is not tampered with so that information sent and received is
truthful.

13. Social Engineering is

a. The act of manipulating data to secure PII
b. The act of manipulating people for malicious means
c. The act of organizing PII based on social security numbers
d. The act of organizing PII based on social groups

14. Which of the following requires the safe storage of data generated in connection with public
electronic information?
a. Data Directive
b. Payment Card Industry Data Security Standards
c. Data-Driven Marketing
d. Data Security, Portability, and Accountability Act

15. Which of the following is a sign of a phishing email?

a. Request for personal information
b. Solicited attachments
c. Good grammar and spelling
d. Sense of laziness about the language used

16. Which can be the result of a cyber-attack?

a. Loss of customer information
b. Compromising of secure data
c. Loss of man-hours
d. All of the above

97
17. Corrupted files are a violation of _______
a. Confidentiality
b. Integrity
c. Accessibility
d. None of the above

18. In terms of cyber security, what does CIA stand for?

a. Confidentiality, Integrity, Availability
b. Confidentiality, Integrity, Accuracy
c. Central Intelligence Agency
d. Certified Internal Auditing

19. DDOS stands for

a. Demonstrated Denial of Service
b. Diminutive Denial of Service
c. Delegated Denial of Service
d. Distributed Denial of Service

20. Encryption is a popular method to ensure ______

a. Confidentiality
b. Integrity
c. Identity
d. Availability

98
End User Email
1. Clicking on suspicious links and download unverified attachments puts you and only at risk.
a. TRUE
b. FALSE
c. 0
d. 0
2. Which of the following is an indicator of a suspicious email?
a. Bad grammar
b. A sense of urgency
c. Promise of money
d. All of the above

3. Emails have become the main means of _____________ attacks

a. Phishing
b. Targeted
c. Adware
d. Testing

4. Which of these is NOT a method you can use to keep your inbox clean from unwanted email?
a. Be careful with who you give your email address to
b. Bulk delete all emails without opening any up
c. Use different email addresses for different purposes
d. Remove email subscriptions once you do not need them anymore

5. If you receive a malicious email to your company email address, you should forward it to other
people.
a. True - everyone needs to know what malicious emails look like, and you increase awareness
by forwarding this email
b. True - you should forward the email to the security team so they can take the proper steps
to handle the email
c. False - forwarding the email to anyone could result in extended damage to the network
d. False - you should gather more information about the email by responding to it before
taking any additional steps

6. The email address shown next to the name of the sender in an email header is always the address
your replies will be sent to.
a. TRUE
b. FALSE
c. 0
d. 0

7. If you receive a malicious email to your company email address, you should forward it to other
people.
a. True - everyone needs to know what malicious emails look like, and you increase awareness
by forwarding this email
b. True - you should forward the email to the security team, so they can take the proper steps
to handle the email
c. False - forwarding the email to anyone could result in extended damage to the network
d. False - you should gather more information about the email by responding to it before
taking any additional steps

99
8. Which of the following is not a threat an attachment can pose?
a. Installing adware
b. Propagate to other people on your contacts list
c. Installing a keylogger
d. Fry your computer

9. Why do we care about email links & attachments?

a. Links may redirect to sites that seem legitimate but are used for phishing
b. Links may lead to little known sites offering legitimate services
c. Attachments may contain someone’s private information
d. Attached images could hold information that puts national security at risk

10. Which of these is NOT a method you can use to keep your inbox clean from unwanted email?
a. Be careful with who you give your email address to
b. Bulk delete all emails without opening any up
c. Use different email addresses for different purposes
d. Remove email subscriptions once you do not need them anymore

11. An email link that sends you to an inappropriate website is an example of a malicious email attack.
a. TRUE
b. FALSE
c. 0
d. 0
12. What is phishing?
a. Encrypting the data on a computer and asking for a ransom to decrypt it
b. Manipulating people to get them to share personal information such as login credentials
c. Getting a person to perform a cyber-attack on others
d. Email attacks that infect the computers of a large number of people

13. Which of the following is a step you should take to make sure a link contained in an email is safe?
a. Directly follow the link
b. Share the link to check for complaints
c. Check to make sure the sender of the email is who they claim to be
d. Copy and paste the link in Google to check for authenticity
14. What are the warning signs of a suspicious email??
a. Poor grammar and unsolicited downloads
b. Sense of urgency and scare tactics
c. "Too good to be true"
d. All of the above

15. What type of attack are emails mainly used for?

a. Denial of Service (DoS)
b. Eavesdropping
c. Phishing
d. Identity Spoofing

16. Which of the following should you NOT do when you receive a possible phishing email?
a. In case the sender is someone you believe you know, confirm that they did in fact send the
email
b. Navigate to logins manually instead of clicking on links
c. Run a virus scan on any opened or downloaded attachments
d. Reply back to the email

100
17. All suspicious emails should be forwarded to your security team.
a. TRUE
b. FALSE
c. 0
d. 0

18. Email attacks provide anonymity for the ________.

a. Recipient
b. Recipient contacts
c. Sender
d. No-one

19. Which of these is NOT a reason for the prevalence of email attacks?
a. People are still falling for these attacks, even when they are very poorly done
b. Targeting specific people is very efficient
c. Generic attacks that affect a mass population are very easy
d. Sending links to phishing sites is easier than through other modes of communication, such
as by phone

20. What is phishing?

a. Encrypting the data on a computer and asking for a ransom to decrypt it
b. Manipulating people to get them to share personal information such as login credentials
c. Getting a person to perform a cyber-attack on others
d. Email attacks that infect the computers of a large number of people

101
End User PII
1. Always give the ________ amount of PII if it becomes absolutely necessary.
a. Total Available
b. Least
c. Requested
d. Most

2. Identity theft is an insignificant issue in today privacy centred world.

a. TRUE
b. FALSE
c. 0
d. 0

3. What does PII stand for?

a. Private Illustrative Information
b. Personally Injurious Information
c. Public Instructional Information
d. Personally Identifiable Information

4. Which of the following is a poor organizational practice concerning the protection of PII?
a. Frequently transmitting PII over networks
b. Storing PII redundantly on numerous servers and/or portable devices
c. Letting PII be used by numerous people within the organization
d. All of the above

5. What does HIPAA do?

a. Ensures patient medical record confidentiality in hospitals and health insurance companies
b. Ensures proper bedside treatment of patients in hospitals
c. Ensures transparency between health insurance companies and patients
d. Ensures health insurance and medical records can be accessed instantly and on demand in
case of emergencies

6. What does PCI/DSS stand for?

a. Personal Credential Information Data Security Standards
b. Payment Card Industry Data Security Standards
c. Payment Card Industry Data Safety Standards
d. Personal Credential Information Data Safety Standards

7. Which of the following might be accessed with PII?

a. Bank Security Questions
b. Background Check Questions
c. Account Recovery Questions
d. All of the above

8. Which of the following is not an example of biometric data?

a. Fingerprint
b. Height/Weight
c. Age
d. Retinal scan

102
9. What does HIPAA stand for?
a. Health Insurance Portability and Accountability Act
b. Healthcare Industry Professionals Accountability Administration
c. Healthcare Insurance Portability and Aggregation Act
d. Health Insurance Portability and Accountability Administration

10. Social Engineering is:

a. The act of designing social constructs and paradigms
b. The act of persuading people to share external information with others
c. The act of manipulating people for malicious means
d. The act of creating distinct social classes with the purpose of designing different methods
of treatment per class
11. Seemingly innocent information can be used to do which of the following?
a. Reset passwords
b. Request more information
c. Impersonate an individual
d. All of the above

12. Which of the following is NOT an important factor in determining the ease of access of PII?
a. Can be copied, sent, and saved without restriction
b. Is available for use by HR for employee management
c. Is protected by passwords before being accessible by staff
d. The volume of PII stored

13. What does the EU Data Directive do?

a. Ensures that unsafe information is not stored at all
b. Dictates what kinds on information be stored
c. Demonstrates how to store confidential information
d. Requires safe storage of data generated in connection with public electronic information

14. Which of the following is a method an attacker can acquire PII?

a. Illegally obtaining a physical copy from your company
b. Social media
c. Phishing scams
d. All of the above

15. Before giving out individual PII, what is the first thing you must do?
a. Ensure that the request is authorized, and the requester provides legitimate identification
b. Check with the individual to get their approval
c. Check with company policy for instructions dictating the process of handing out PII
d. Encrypt the PII for transfer, so it does not get in the hands of external parties

16. Which of these is not a good practice concerning protecting PII?

a. Following company policy
b. Defer questions to authority
c. Locking your computer when you step away
d. Remembering your passwords by writing them on sticky notes on your desk
17. Which of these is an example of PII?
a. Social Security number
b. Vehicle registration number
c. Biometric information
d. All of the above

103
18. Where should you store confidential information?
a. Personal Laptop
b. SD Card
c. Phone
d. None of the above

19. Which of these is not an example of PII?

a. Phone Number
b. Address
c. Bank Account Number
d. Clothing Serial Number

20. If a single piece of information cannot be used by itself to identify a person, it is safe to reveal.
a. TRUE - if the information does not distinguish the individual from others, there is no issue
with it being revealed
b. FALSE - that information may be combined with other pieces of information to identify a
particular individual
c. 0
d. 0

21. PII can be used to commit identity theft. Identity theft can cause which of the following issues?
a. Financial problems
b. Credit hits
c. Emotional distress
d. All of the above

104
End User Physical Security
1. Why is physical security in an organization important?
a. Employees could come to harm
b. Network devices could be destroyed, severely harming the organization
c. Cyber-attacks could be performed on site that may be more disastrous than a remote attack
d. All of the above

2. Which of the following is NOT true about a fire alarm in an organization?

a. Providing proper training can ensure that all company policies are followed even in the
event of such an emergency
b. An evacuated building becomes easier to be attacked
c. Information safety should be given first priority
d. All of the above are true statements

3. Which of the following can you do if someone is struggling to get through a security door?
a. Offer to swipe your ID for them
b. Hold the door open for them
c. Escort them to security
d. None of the above

4. Which of the following is the first step you should take when dealing with physical security?
a. Mitigate
b. Report
c. Identify
d. None of the above

5. Which of the following is not a physical security control?

a. A camera
b. A computer lock
c. An anti-virus
d. A door lock

6. What is usually the weakest link in a secure system?

a. Door locks
b. Security stations
c. Employees
d. Computers

7. In the event of an emergency, the only concern should be safety of employees. Safety of sensitive
data can be disregarded.
a. TRUE
b. FALSE
c. 0
d. 0

8. Which of the following practices ensures that door locks are being used effectively?
a. Propping doors open
b. Writing door pin codes on the door
c. Holding doors for people who have not scanned their badge in
d. None of the above

105
9. What key combination for Windows/Mac quickly locks your computer?
a. Win+R/Cmd+R
b. Shift+Tab/Cntrl+Tab
c. Alt+F4/Cmd+Option+Esc
d. Win+L/Cntrl+Shift+Power

10. The safety of a company employees is more important the safety of its data.
a. TRUE
b. FALSE
c. 0
d. 0

11. If you spot someone making an attempt to enter your company building without going through
the proper identification process but you are uncomfortable with accosting them, you may report
the attempt to security instead.
a. TRUE
b. FALSE
c. 0
d. 0
12. Which of the following is NOT a reason for organizations being vulnerable?
a. People take extensive care to follow all company policies
b. People are not careful with their credentials
c. Buildings are designed for function with cost in mind rather than security
d. All of the above are reasons for vulnerability

13. A visual scan of an ID badge is enough to determine authenticity.

a. TRUE
b. FALSE
c. 0
d. 0
14. Which of the following actions can an attacker with physical access to a computer take?
a. Perform a USB attack on the computer
b. Destroy the computer
c. Steal the computer to resell it
d. All of the above

15. Why should the default combination or password be used on a lock?

a. To allow for easy retrieval of the combination or password from the instruction manual in
case it is forgotten
b. The default passwords are usually simple enough to be remembered, improving employee
productivity
c. Many systems use the same default password, making remembering multiple passwords for
different systems unnecessary
d. Default passwords should not be used as they are a great security risk

16. An attacker with physical access to the target computer can do which of the following that they
normally would not be able to from a remote location?
a. Access the computer through the network
b. Upload a virus wirelessly
c. Physically destroy the computer
d. Learn when it is turned on

106
17. Which of the following is an effective method of preventing your laptop from being stolen?
a. Covering your laptop in sticky notes
b. Using a computer lock
c. Putting your laptop under your desk
d. Using a screensaver

18. Which of the following is NOT an element of physical security?

a. Security guards
b. Locked doors
c. Wireless shields
d. Walls

19. If someone looks like they are trying to tailgate behind you, what should you do?
a. Visually verify their ID before letting them follow you
b. Kindly escort them to security
c. Slam the door behind you, so they are unable to follow
d. Demand that they swipe themselves in and refuse to open the door

20. The only way to access information in a password protected computer is by logging in with a
password.
a. TRUE
b. FALSE
c. 0
d. 0

21. An attack over USB can be more effective than an attack performed over the network.
a. TRUE
b. FALSE
c. 0
d. 0

107
End User: Network Security
1. A worm is dangerous because
a. It only requires one user on the network to allow it to spread wildly
b. It installs programs that users do not want
c. It monitors network traffic.
d. None of the above

2. What is the best way to protect data while sending it to others?

a. Encryption
b. Passwords
c. Both A and B
d. None of the above

3. TCP/IP is the most common protocol

a. TRUE
b. FALSE
c. 0
d. 0

4. IP comes from the ______ range when the government wanted to send files between systems.
a. 60
b. 70
c. 80
d. 90

5. Fax machines have built-in security.

a. TRUE
b. FALSE
c. 0
d. 0
6. The C-I-A triad stands for:
a. Confidentiality, Integrity, Availability
b. Confidentiality, Internet, Accessibility
c. Co-dependency, Integrity, Availability
d. None of the above

7. Wireshark allows a user to:

a. Perform a DDOS attack on the network
b. Decrypt encrypted messages on a network
c. Capture traffic on the network and look at it
d. None of the above

8. Network security begins with ___________, usually with a username and password.
a. Auditing
b. Authenticating
c. Fabrication
d. None of the above

108
9. A man in the middle attack only leads to watching network traffic, not corruption, of data or
stealing.
a. TRUE
b. FALSE
c. 0
d. 0

10. Most protocols are designed to work securely.

a. TRUE
b. FALSE
c. 0
d. 0

11. Which of the following is a security risk?

a. Bringing a USB drive from one environment to another
b. Using https instead of http
c. Allowing multiple computers onto he same network
d. None of the above

12. We are moving to IPv6 soon because:

a. It has built in TCP/IP
b. It encrypts data automatically
c. It allows for monitoring of the networks
d. None of the above

13. Why is it hard to obtain a truly secure network?

a. Networks are designed to protect information and resources.
b. Few pieces of data are ever sent through any given network.
c. Anyone can view traffic over any network they wish.
d. None of the above.

14. How could someone view data sent over a network transmitted in HTTPS?
a. You have antivirus in place
b. You are on a public network
c. You are using a wireless network
d. None of the above

15. Any __________ trafic on the network is susceptable to snipping

a. Encrypted
b. User-facing
c. Email
d. None of the above
16. Which is a key to network security?
a. Encryption
b. Only send data to secure websites
c. Use caution when on public networks
d. All of the above
17. "Sniffing" refers to a________ which does not involve corrupting data.
a. DDOS attack
b. Man-in-the-middle attack
c. Phishing attack
d. Baiting attack

109
18. The most important part of network security is:
a. Protecting data in transit
b. Protecting user login credentials
c. Maintaining accessibility
d. None of the above

19. Which is NOT a way to ensure network security?

a. Encrypt mail and other sensitive files.
b. Protect physical access to your system.
c. Use http instead of https
d. Download only from trusted sites.

20. What is similar about the protocols we use to exchange mail?

a. They encrypt all files sent through them.
b. None of them are secure
c. Both A and B
d. None of the above

21. Which of the following is NOT a means of network security?

a. Following company policy
b. Contact HR if you suspect something on the network is unsecure
c. Having a secure physical environment
d. Encryption of data on the network

110
End User: Cyber Fundamentals
1. Social Engineering is
a. The act of manipulating data to secure PII
b. The act of manipulating people for malicious means
c. The act of organizing PII based on social security numbers
d. The act of organizing PII based on social groups

2. In terms of End User Security, what is Integrity?

a. Making sure we keep our data and our information private from those who do not "Need to
Know"
b. Making sure that we, our clients, and anyone else who needs access to the data has access.
c. Making sure that our data is useless to outsiders, through processes like encryption.
d. Making sure that our data is not tampered with so that information sent and received is
truthful.

3. In terms of cyber security, what does CIA stand for?

a. Confidentiality, Integrity, Availability
b. Confidentiality, Integrity, Accuracy
c. Central Intelligence Agency
d. Certified Internal Auditing

4. The difference between a DOS attack and a DDOS attack is _______

a. The number of attacking computers
b. The use of encryption-breaking software
c. The use of brute-force tactics
d. The use of violations of integrity

5. Pretexting is synonymous with what?

a. Investigation
b. Impersonation
c. Interrogation
d. Infiltration

6. An authentication server stores both the username and the password.

a. TRUE
b. FALSE
c. 0
d. 0

7. DDOS Attack stands for

a. Demonstrated Denial of Service Attack
b. Diminutive Denial of Service Attack
c. Delegated Denial of Service Attack
d. Distributed Denial of Service Attacks

8. Which of the following is NOT a good practice for defending PII?

a. Defer questions to those who you have authority over
b. Authenticate according to policy
c. Follow company policy
d. Do not leave PII unprotected

111
9. An email with a known sender is safe from phishing.
a. TRUE
b. FALSE
c. 0
d. 0

10. Which of the following is NOT a Cybersecurity Threat?

a. Common Persistent Threats
b. Outsider Threats
c. Insider Threats
d. Highly Organized threats

11. PII stands for

a. Personnel Ideal Information
b. Persons Identity Information
c. Personal Identification Information
d. Personally Identifiable Information

12. Corrupted files are a violation of _______

a. Confidentiality
b. Integrity
c. Accessibility
d. None of the above

13. Which of the following is a sign of a phishing email?

a. Request for personal information
b. Solicited attachments
c. Good grammar and spelling
d. Sense of laziness about the language used

14. Natural Disasters mostly affect _____

a. Confidentiality
b. Integrity
c. Availability
d. None of the above

15. A digital signature provides insurance that the file has not been modified.
a. TRUE
b. FALSE
c. 0
d. 0

16. Which of the following requires the safe storage of data generated in connection with public
electronic information?
a. Data Directive
b. Payment Card Industry Data Security Standards
c. Data-Driven Marketing
d. Data Security, Portability, and Accountability Act

112
17. _______ dollars were lost in the Unites States last year due to cyber attacks.
a. 250 Million
b. 25 Billion
c. 250 Billion
d. 500 Billion

18. Which of the following is NOT a technical attack?

a. Keyloggers
b. Email Attachments
c. Social Engineering
d. USB attacks

19. Which can be the result of a cyber-attack?

a. Loss of customer information
b. Compromising of secure data
c. Loss of man-hours
d. All of the above

20. Encryption is a popular method to ensure ______

a. Confidentiality
b. Integrity
c. Identity
d. Availability

21. Which of the following can NOT be used as PII?

a. First and Last name
b. High School Mascot
c. Email Address
d. Facebook Friends

113