Information Security Overview

1. Which of the following terms refers to the existence of a weakness, design flaw, or implementation error that
can lead to an unexpected event compromising the security of the system?
A. Zero-Day Attack B. Hacking
C. Exploit D. Vulnerability

2. Which of the following terms refers to gaining access to one network and/or computer and then using the
same to gain access to multiple networks and computers that contain desirable information?
A. Daisy Chaining
B. Kill Chain
C. Social Engineering
D. Doxing

Explanation:
 Doxing: Doxing refers to gathering and publishing personally identifiable information such as an individual’s
name and email address, or other sensitive information pertaining to an entire organization. People with
malicious intent collect this information from publicly accessible channels such as the databases, social
media and the Internet.
 Daisy Chaining: It involves gaining access to one network and/or computer and then using the same
information to gain access to multiple networks and computers that contain desirable information.
 Social Engineering: Social engineering is an art of manipulating people to divulge sensitive information to
perform some malicious action.
 Kill Chain: The cyber kill chain is an efficient and effective way of illustrating how an adversary can attack
the target organization. It is a part of intelligence-driven defense model for identification and prevention of
malicious intrusion activities.

3. Ransomware encrypts the files and locks systems, thereby leaving the system in an unusable state. The
compromised user has to pay ransom to the attacker to unlock the system and get the files decrypted. Petya
delivers malicious code can that even destroy the data with no scope of recovery. What is this malicious code
called?
A. Payload B. Honeypot
C. Bot D. Vulnerability

4. Which of the following statements correctly defines a zero-day attack?

A. An attack that exploits vulnerabilities before the software developer releases a patch for the vulnerability.
B. An attack that could not exploit vulnerabilities even though the software developer has not released a patch.
C. An attack that exploits vulnerabilities after the software developer releases a patch for the vulnerability.
D. An attack that exploits an application even if there are zero vulnerabilities.

5. Which fundamental element of information security refers to an assurance that the information is accessible
only to those authorized to have access?
A. Integrity B. Authenticity
C. Availability D. Confidentiality

6. Arturo is the leader of information security professionals of a small financial corporation that has a few branch
offices in Africa. The company suffered an attack of USD 10 million through an interbanking system. The CSIRT
explained to Arturo that the incident occurred because 6 months ago the hackers came in from the outside
through a small vulnerability, then they did a lateral movement to the computer of a person with privileges in
the interbanking system. Finally, the hackers got access and did the fraudulent transactions.
What is the most accurate name for the kind of attack in this scenario?

A. External Attack B. Backdoor

C. APT D. Internal Attack
7. Jonathan, a solutions architect with a start-up, was asked to redesign the company’s web infrastructure to
meet the growing customer demands. He proposed the following architecture to the management:

What is Jonathan’s primary objective?

A. Ensuring high availability B. Proper user authentication
C. Ensuring integrity of the application servers D. Ensuring confidentiality of the data

8. Highlander, is a medical insurance company with several regional company offices in North America.
Employees, when in the office, utilize desktop computers that have Windows 10, Microsoft Office, anti-
malware/virus software, and an insurance application developed by a contractor. All the software updates and
patches are managed by the IT department of Highlander, Incorporated. Group policies are used to lock down
the desktop computers, including the use of Applocker to restrict the installation of any third-party applications.
There are one hundred employees who work from their home offices. Employees who work from home use their
own computers, laptops, and personal smartphones. They authenticate to a cloud-based domain service, which
is synchronized with the corporate internal domain service. The computers are updated and patched through the
cloud-based domain service. Applocker is not used to restrict the installation of third-party applications.
The database that hosts the information collected from the insurance application is hosted on a cloud-based file
server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-
based file server, and the company uses work folders to synchronize offline copies back to their devices.

Based on the knowledge of the network topology and trends in network security, what would be the primary
target of a hacker trying to compromise Highlander?

A. Cloud Based File Server B. Company Desktops

C. Personal Laptops D. Personal Smartphones

9. James has published personal information about all senior executives of Essential Securities Bank on his blog
website. He has collected all this information from multiple social media websites and publicly accessible
databases. What is this known as?

A. Doxing B. Phishing
C. Impersonation D. Social Engineering

 Doxing: This refers to gathering and publishing personally identifiable information such as an individual’s
name and e-mail address, or other sensitive information regarding the entire organization.
 Social engineering: This is the art of convincing people to reveal sensitive information.
 Phishing: This is the technique in which an attacker sends an e-mail or provides a link, falsely claiming to be
from a legitimate website in an attempt to acquire a user’s personal or account information.
 Daisy chaining: It involves gaining access to one network and/or computer and then using the same
information to gain access to multiple networks and computers that contain desirable information.
10. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. Employees, when in the office, utilize desktop computers that have Windows 10, Microsoft Office, anti-
malware/virus software, and an insurance application developed by a contractor. All the software updates and
patches are managed by the IT department of Highlander, Incorporated. Group policies are used to lock down the
desktop computers, including the use of Applocker to restrict the installation of any third-party applications.

There are one hundred employees who work from their home offices. Employees who work from home use their
own computers, laptops, and personal smartphones. They authenticate to a cloud-based domain service, which is
synchronized with the corporate internal domain service. The computers are updated and patched through the
cloud-based domain service. Applocker is not used to restrict the installation of third-party applications.

The laptops utilize direct access to automatically connect their machines to the Highlander, Incorporated, network
when they are not in the regional offices. The laptops are set up to use IPsec when communicating with the cloud-
based file server. The protocol that they have chosen is Authentication Header (AH).

The database that hosts the information collected from the insurance application is hosted on a cloud-based file
server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based
file server, and the company uses work folders to synchronize offline copies back to their devices.

Based on the knowledge of the network topology, which of the main elements of information security has
Highlander, Incorporated, NOT addressed in its plans for its laptops?

A. Authenticity B. Confidentiality
C. Availability D. Integrity

Explanation:
Highlander, Incorporated, has not addressed confidentiality.
They have chosen to use Authentication Header, which will digitally sign the packets. That will allow the company
to guarantee integrity, authenticity, and non-repudiation. The use of work folders will allow employees to gain
access to data, even when the network connection fails. Direct access is used when connecting to the Highlander,
Incorporated, hosted network, not the cloud-based file servers.

Information Security Threats and Attack Vectors

11. A newly discovered flaw in a software application would be considered as which kind of security
vulnerability?
A. Zero-day vulnerability
B. Time-to-check to time-to-use flaw
C. HTTP header injection vulnerability
D. Input validation flaw

Explanation:
A zero-day vulnerability is a flaw that leaves software, hardware, or firmware defenseless against an attack that
occurs the very same day the vulnerability is discovered.

12. An e-commerce site was put into a live environment and the programmers failed to remove the secret entry
point (bits of code embedded in programs) that was used during the application development to quickly gain
access at a later time, often during the testing or debugging phase.

What is this secret entry point known as?

A. Honey pot
B. SQL injection
C. SDLC process
D. Trap door
13. Which of the following attack vectors is a network attack in which an unauthorized person gains access to a
network and stays there undetected for a long period of time? The intention of this attack is to steal data rather
than to cause damage to the network or organization.

A. Advanced Persistent Threats B. Botnet

C. Insider Attack D. Mobile Threats
 Advanced Persistent Threats: Advanced Persistent Threat (APT) is an attack that focuses on stealing
information from the victim machine without its user being aware of it. These attacks are generally
targeted at large companies and government networks. APT attacks are slow in nature, so the effect on
computer performance and Internet connections is negligible. APTs exploit vulnerabilities in the
applications running on a computer, operating system, and embedded systems.
 Mobile Threats: Mobile threats falls under the category of ‘targeted attacks’ where there will not be any
major goal for the attackers except to target a mobile device and gain credit card credentials or just cause
chaos, get their hands on personal information for blackmail and so on.
 Botnet: A botnet is a huge network of the compromised systems used by an intruder to perform various
network attacks such as denial-of-service attacks. Bots, in a botnet, perform tasks such as uploading
viruses, sending mails with botnets attached to them, stealing data, and so on.
 Insider Attack: It is an attack performed on a corporate network or on a single computer by an entrusted
person (insider) who has authorized access to the network and is aware of the network architecture.

14. Which of the following is a network based threat?

A. Input validation flaw B. Buffer overflow

C. Arbitrary code execution D. Session hijacking

15. Ron, a customer support intern, exploited default configurations and settings of the off-the-shelf libraries and
code used in the company’s CRM platform. How will you categorize this attack?

A. Operating System attack B. Mis-configuration attack

C. Application-level attack D. Shrink-wrap code attack

Explanation:
Many approaches exist for an attacker to gain access to the system. One common requirement for all such
approaches is that the attacker finds and exploits a system’s weakness or vulnerability.

 Operating System Attacks: Attackers search for vulnerabilities in an operating system’s design, installation
or configuration and exploit them to gain access to a system.
 Misconfiguration attack: Security misconfiguration or poorly configured security controls might allow
attackers to gain unauthorized access to the system, compromise files, or perform other unintended
actions. Misconfiguration vulnerabilities affect web servers, application platforms, databases, networks, or
frameworks that may result in illegal access or possible system takeover.
 Application-level attack: Attackers exploit the vulnerabilities in applications running on organizations’
information system to gain unauthorized access and steal or manipulate data.
 Shrink-wrap code attack: Software developers often use free libraries and code licensed from other
sources in their programs to reduce development time and cost. This means that large portions of many
pieces of software will be the same, and if an attacker discovers vulnerabilities in that code, many pieces of
software are at risk. Attackers exploit default configuration and settings of the off-the-shelf libraries and
code. The problem is that software developers leave the libraries and code unchanged.

16. Which of the following malware types restricts access to the computer system’s files and folders, and
demands a payment to the malware creator(s) in order to remove the restrictions?

A. Ransomeware B. Adware
C. Spyware D. Trojan Horse
17. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. Employees, when in the office, utilize desktop computers that have Windows 10, Microsoft Office, anti-
malware/virus software, and an insurance application developed by a contractor. All of the software updates
and patches are managed by the IT department of Highlander, Incorporated. Group policies are used to lock
down the desktop computers, including the use of Applocker to restrict the installation of any third-party
applications.
There are one hundred employees who work from their home offices. Employees who work from home use their
own computers, laptops, and personal smartphones. They authenticate to a cloud-based domain service, which
is synchronized with the corporate internal domain service. The computers are updated and patched through the
cloud-based domain service. Applocker is not used to restrict the installation of third-party applications.
The database that hosts the information collected from the insurance application is hosted on a cloud-based file
server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-
based file server, and the company uses work folders to synchronize offline copies back to their devices.
A competitor learns that employees use their own personal smartphones to communicate with other employees
of Highlander, Incorporated.
Which information security attack vector should the competitor use to gather information over a long period of
time from the phones, without the victim being aware that he or she has been compromised?

A. Mobile Threats B. Advanced Persistent Threat

C. Botnet D. Viruses and Worms

Explanation:
The competitor should utilize advanced persistent threats. It is an attack that will focus on stealing information
without the user being aware of it.
Viruses and worms normally affect the productivity of the machine and will be detected by anti-malware/virus
programs or the end user when the computer does not respond as expected. Mobile threats do target mobile
devices, but they vary and do not guarantee avoiding detection. A botnet is a network of devices used to perform
network attacks.

18. Which of the following techniques is used to distribute malicious links via some communication channel such
as mails to obtain private information from the victims?

A. Phishing B. Piggybacking
C. Dumpster diving D. Vishing

19. Which of the following category of information warfare is a sensor-based technology that directly corrupts
technological systems?

A. Electronic warfare
B. Intelligence-based warfare
C. Command and control warfare (C2 warfare)
D. Economic warfare
Explanation:
 Electronic warfare: Electronic warfare uses radio electronic and cryptographic techniques to degrade
communication. Radio electronic techniques attack the physical means of sending information, whereas
cryptographic techniques use bits and bytes to disrupt the means of sending information.
 Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts
technological systems. Intelligence-based warfare is a warfare that consists of the design, protection, and
denial of systems that seek sufficient knowledge to dominate the battlespace.
 Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the
impact an attacker possesses over a compromised system or network that they control.
 Economic warfare: Economic information warfare can affect the economy of a business or nation by
blocking the flow of information. This could be especially devastating to organizations that do a lot of
business in the digital world.
20. Which of the following can be categorized as a host-based threat?
A. Privilege escalation B. Man-in-the-Middle attack
C. IDS bypass D. Distributed Denial-of Service

Explanation:
There are three types of information security threats: Network Threats, Host Threats, and Application Threats.
 Network Threats: A network is the collection of computers and other hardware connected by
communication channels to share resources and information. As the information travels from one system
to the other through the communication channel, a malicious person might break into the communication
channel and steal the information traveling over the network.
Listed below are some of the network threats:
 Information gathering  Session hijacking
 Sniffing and eavesdropping  Man-in-the-Middle attack
 Spoofing
 Host Threats: Host threats target a particular system on which valuable information resides. Attackers try
to breach the security of the information system resource.
Listed below are some of the host threats:
 Malware attacks  Unauthorized access
 Footprinting  Privilege escalation
 Denial-of-Service attacks  Backdoor attacks
 Arbitrary code execution
 Application Threats: Applications can be vulnerable if proper security measures are not taken while
developing, deploying, and maintaining them. Attackers exploit the vulnerabilities present in an application
to steal or destroy data.
Listed below are some of the application threats:
 Improper data/input validation  Information disclosure
 Authentication and authorization  Hidden-field manipulation
attacks  Broken session management
 Security misconfiguration  Buffer overflow issues
 Improper error handling and
exception management

Hacking Concepts, Types, and Phases

21. Yancey is a network security administrator for a large electric company. This company provides power for over
100,000 people in Las Vegas. Yancey has worked for his company for more than 15 years and has become very
successful. One day, Yancey comes into work and finds out that the company will be downsizing and he will be out
of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all
over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for
30 or more years; he just wants the company to pay for what they are doing to him.
What would Yancey be considered?

A. Yancey is a hacktivist hacker since he is standing up to a company that is downsizing.

B. Because Yancey works for the company currently, he would be a white hat.
C. Yancey would be considered a suicide hacker.
D. Since he does not care about going to jail, he would be considered a black hat.

Explanation:
 Black hats are individuals with extraordinary computing skills, resorting to malicious or destructive activities and are also
known as crackers.
 Individuals professing to have hacker skills and using them for defensive purposes and are security analysts are known as
white hats.
 Hacktivists are individuals who promote a political agenda by hacking, especially by defacing or disabling websites.
 Suicide hackers are individuals who aim to bring down the critical infrastructure for a “cause” and are not worried about
facing jail terms or any other kind of punishment.
22. What is the objective of a reconnaissance phase in a hacking life-cycle?

A. Gaining access to the target system and network.

B. Gathering as much information as possible about the target.
C. Gaining access to the target system with admin/root level privileges.
D. Identifying specific vulnerabilities in the target network.

23. What is the correct order of steps in the system hacking cycle?
A. Gaining Access -> Escalating Privileges -> Executing Applications -> Hiding Files -> Covering Tracks
B. Escalating Privileges -> Gaining Access -> Executing Applications -> Covering Tracks -> Hiding Files
C. Covering Tracks -> Hiding Files -> Escalating -> Privileges -> Executing Applications -> Gaining Access
D. Executing Applications -> Gaining Access -> Covering Tracks -> Escalating Privileges -> Hiding Files

Explanation:
 In a system hacking cycle, the attacker should first attempt to exploit and gain access to the target system. Then
he has to escalate his privileges to access the root directory of the target system. Once the attacker achieves
the elevated privileges, he can perform any malicious activity like executing malicious applications on the target
system and data theft. Next, the malicious applications have to be hidden somewhere in the target machine so
that the legitimate user is not able to identify and delete them. After completing all these stages, now the
attacker has to cover his tracks to avoid detection.

24. Which of the following terms refers to unskilled hackers who compromise systems by running scripts, tools,
and software developed by real hackers? They usually focus on the quantity of attacks rather than the quality of
the attacks that they initiate.

A. Suicide Hackers B. Gray Hats

C. Hacktivist D. Script Kiddies

Explanation:
 Hacktivist: Hacktivists are individuals who promote a political agenda by hacking, especially by defacing or disabling
websites.
 Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software
developed by real hackers. They usually focus on the quantity of attacks rather than the quality of the attacks that they
initiate.
 Gray Hats: Gray hats are the individuals who work both offensively and defensively at various times. Gray hats fall
between white and black hats. Gray hats might help hackers in finding various vulnerabilities of a system or network and
at the same time help vendors to improve products (software or hardware) by checking limitations and making them more
secure.
 Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a “cause” and are not
worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers, who
sacrifice their life for an attack and are thus not concerned with the consequences of their actions.

25. Which of the following is an active reconnaissance technique?

A. Scanning a system by using tools to detect open ports B. Performing dumpster diving
C. Collecting information about a target from search engines D. Collecting contact information from yellow
pages

26. Anonymous, a known hacker group, claim to have taken down 20,000 Twitter accounts linked to Islamic State
in response to the Paris attacks that left 130 people dead. How can you categorize this attack by Anonymous?

A. Social engineering B. Hacktivism

C. Spoofing D. Cracking

Explanation:
 Hacktivism is when hackers break into government or corporate computer systems as an act of protest. In
the above scenario, the hacker group breaks into the Islamic State corporate computer system in response
to the Paris attack. Hence, Hacktivism is the correct option.

27. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. Employees, when in the office, utilize desktop computers that have Windows 10, Microsoft Office, anti-
malware/virus software, and an insurance application developed by a contractor. All of the software updates
and patches are managed by the IT department of Highlander, Incorporated. Group policies are used to lock
down the desktop computers, including the use of Applocker to restrict the installation of any third-party
applications.

There are one hundred employees who work from their home offices. Employees who work from home use their
own computers, laptops, and personal smartphones. They authenticate to a cloud-based domain service, which
is synchronized with the corporate internal domain service. The computers are updated and patched through the
cloud-based domain service. Applocker is not used to restrict the installation of third-party applications.

The protocol that they have chosen is Authentication Header (AH).

The database that hosts the information collected from the insurance application is hosted on a cloud-based file
server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-
based file server and the company uses work folders to synchronize offline copies back to their devices.

A competitor has finished the reconnaissance and scanning phases of their attack. They are going to try to gain
access to the Highlander, Incorporated, laptops. Which would be the most likely level to gain access?

A. Network Level
B. Operating System
C. Hardware Level
D. Application Level

28. Individuals who promote security awareness or a political agenda by performing hacking are known as:

A. Suicide hackers
B. Script kiddies
C. Hacktivist
D. Cyber terrorists

Explanation:
 Hacktivists: Hackers who break into government or corporate computers as an act of protest or to increase
awareness.
 Cyber terrorists: Individuals motivated by religious or political beliefs to create fear of large-scale
disruption.
 Script kiddies: Unskilled hackers who compromise systems by running scripts, tools, and software
developed by other hackers.
 Suicide hackers: Hackers who aim to bring down critical infrastructure and do not worry about being
caught and facing jail terms or any other kind of punishments.

29. In which of the following hacking phases does an attacker try to detect listening ports to find information
about the nature of services running on the target machine?

A. Maintaining access
B. Scanning
C. Gaining access
D. Clearing Tracks
30. In which of the following hacking phases does an attacker use steganography and tunneling techniques to
hide communication with the target for continuing access to the victim’s system and remain unnoticed and
uncaught?

A. Reconnaissance C. Clearing Track

B. Gaining Access D. Scanning
Information Security Controls

31. What information should an IT system analysis provide to the risk assessor?

A. Impact analysis B. Security architecture

C. Management buy-in D. Threat statement

32. What is the purpose of conducting security assessments on network resources?

A. Management B. Validation
C. Documentation D. Implementation

Explanation:
 Documentation is the process of recording information on paper, online, or on digital or analog media and
using it later as a reference. Implementation is the process of executing a plan. Management deals with
organizing, planning, and controlling the resources of a firm. Security assessments are conducted to
validate the resources and trace out the vulnerabilities.

33. Which of the following is one of the four critical components of an effective risk assessment?

A. DMZ. B. Administrative safeguards.

C. Logical interface. D. Physical security.

Explanation:
There are four critical components of an effective risk assessment: technical safeguards, organizational safeguards,
physical safeguards, and administrative safeguards

34. When utilizing technical assessment methods to assess the security posture of a network, which of the
following techniques would be most effective in determining whether end-user security training would be
beneficial?

A. Social engineering. B. Application security testing.

C. Vulnerability scanning. D. Network sniffing.

35. Which type of security documents provides specific step-by-step details?

A. Paradigm B. Procedure
C. Process D. Policy

36. Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide?

A. Registration of critical penetration testing for the Department of Homeland Security and public and private
sectors.
B. Measurement of key vulnerability assessments on behalf of the Department of Defense (DoD) and State
Department, as well as private sectors.
C. 24x7 CSIRT Services to any user, company, government agency, or organization.
D. Maintenance of the nation’s Internet infrastructure, builds out new Internet infrastructure, and decommissions
old Internet infrastructure.

37. Which of the following examples best represents a logical or technical control?

A. Corporate security policy. B. Heating and air conditioning.

C. Security tokens. D. Smoke and fire alarms.

38. International Organization for Standardization (ISO) standard 27002 provides guidance for compliance by
outlining

A. Guidelines and practices for security controls

B. Financial soundness and business viability metrics
C. Standard best practice for configuration management
D. Contract agreement writing standards

39. Which of the following processes evaluates the adherence of an organization to its stated security policy?

A. Penetration testing B. Security auditing

C. Vulnerability assessment D. Risk assessment

Explanation:
A security analyst performs security auditing on the network to determine if there are any deviations from the
security policies of an organization.

40. What is the name of the international standard that establishes a baseline level of confidence in the security
functionality of IT products by providing a set of requirements for evaluation?

A. ISO 26029 B. Blue Book

C. The Wassenaar Agreement D. Common Criteria

Explanation:
Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information
security products, specifically to ensure that they meet an agreed-upon security standard for government
deployment.

41. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. There are various types of employees working in the company, including technical teams, sales teams,
and work-from-home employees. Highlander takes care of the security patches and updates of official computers
and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the
employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party
applications.
As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company
email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date
with the latest patches. The phones are not used to directly connect to any other resources in the Highlander,
Incorporated, network. The database that hosts the information collected from the insurance application is hosted
on a cloud-based file server, and their email server is hosted on Office 365. Other files created by employees get
saved to a cloud-based file server, and the company uses work folders to synchronize offline copies back to their
devices.
Highlander, Incorporated, is concerned about their defense in depth. The scope of their concern is especially the
users with mobile phones.
In order to provide appropriate security, which layer of defense in depth should they focus the most attention
on?

A. Internal Network. B. Policies, Procedures, and Awareness.

C. Physical. D. Perimeter.

42. Which of the following guidelines or standards governs the credit card industry?

A. Health Insurance Portability and Accountability Act (HIPAA)

B. Payment Card Industry Data Security Standards (PCI DSS)
C. Sarbanes-Oxley Act (SOX)
D. Control Objectives for Information and Related Technology (COBIT)

43. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. There are various types of employees working in the company, including technical teams, sales teams,
and work-from-home employees. Highlander takes care of the security patches and updates of official computers
and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the
employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party
applications.
As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company
email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date
with the latest patches. The phones are not used to directly connect to any other resources in the Highlander,
Incorporated, network.
The database that hosts the information collected from the insurance application is hosted on a cloud-based file
server, and their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based
file server, and the company uses work folders to synchronize offline copies back to their devices. Apart from
Highlander employees, no one can access the cloud service.
What type of cloud service is Highlander using?

A. Hybrid cloud B. Private cloud

C. Community cloud D. Public loud

44. Highlander, Incorporated, is a medical insurance company with several regional company offices in North America. There
are various types of employees working in the company, including technical teams, sales teams, and work-from-home
employees. Highlander takes care of the security patches and updates of official computers and laptops; however, the
computers or laptops of the work-from-home employees are to be managed by the employees or their ISPs. Highlander
employs various group policies to restrict the installation of any third-party applications.
As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company email in
order to respond to requests for updates. Employees are responsible for keeping their phones up to date with the latest
patches. The phones are not used to directly connect to any other resources in the Highlander, Incorporated, network.
The database that hosts the information collected from the insurance application is hosted on a cloud-based file server, and
their email server is hosted on Office 365. Other files created by employees get saved to a cloud-based file server, and the
company uses work folders to synchronize offline copies back to their devices.
Management at Highlander, Incorporated, has agreed to develop an incident management process after
discovering laptops were compromised and the situation was not handled in an appropriate manner.

What is the first phase that Highlander, Incorporated, needs to implement within their incident management
process?

A. Containment. B. Forensic Investigation.

C. Preparation for Incident Handling and Response. D. Classification and Prioritization.

45. You are the security administrator of Xtrinity, Inc. You write security policies and conduct assessments to
protect the company’s network. During one of your periodic checks to see how well policy is being followed by
the employees, you discover that an employee has attached his laptop to his personal 4G Wi-Fi device. He has
used this 4G connection to download certain files from the Internet, thereby bypassing your firewall. A security
policy breach has occurred as a direct result of this activity. The employee explains that he used the modem
because he had to download software for a department project. How would you resolve this situation?
A. Install a network-based IDS. B. Enforce the corporate security policy.
C. Reconfigure the firewall. D. Conduct a needs analysis.

46. Which method can provide a better return on IT security investment and provide a thorough and
comprehensive assessment of organizational security covering policy, procedure design, and implementation?

A. Social engineering B. Vulnerability scanning

C. Access control list reviews D. Penetration testing

47. When creating a security program, which approach would be used if senior management is supporting and
enforcing the security policy?

A. A bottom-up approach. B. A senior creation approach.

C. A top-down approach. D. An IT assurance approach.

Explanation:
A top-down approach means that the senior level executives have endorsed the security policy. In a top-down
approach initiation, support, and direction come from the top management, work through the middle
management, and then reach staff members.

48. Highlander, Incorporated, is a medical insurance company with several regional company offices in North
America. There are various types of employees working in the company, including technical teams, sales teams,
and work-from-home employees. Highlander takes care of the security patches and updates of official computers
and laptops; however, the computers or laptops of the work-from-home employees are to be managed by the
employees or their ISPs. Highlander employs various group policies to restrict the installation of any third-party
applications.

As per Highlander’s policy, all the employees are able to utilize their personal smartphones to access the company
email in order to respond to requests for updates. Employees are responsible for keeping their phones up to date
with the latest patches. The phones are not used to directly connect to any other resources in the Highlander,
Incorporated, network. The company is concerned about the potential vulnerabilities that could exist on their
devices.

What would be the best type of vulnerability assessment for the employees’ smartphones?

A. Wireless Network Assessment. B. Host-Based Assessment.

C. Passive Assessment. D. Active Assessment.

Explanation:
 Host-based assessment looks at the vulnerabilities of the devices.
 Active assessment means we are using a network scanner to look for hosts.
 Passive assessment means we are sniffing packets in a network.
 Wireless network assessment looks for vulnerabilities in the wireless network, not the phone

49. A security policy is more acceptable to employees if it is consistent and has the support of:

A. Executive management. B. The security officer.

C. Coworkers. D. A supervisor.

Explanation:
Executive management is a team of individuals at the highest level of management in an organization who have the
day-to-day tasks of managing that organization. They hold specific executive powers delegated to them with and by
the authority of a board of directors and the shareholders. The executive management typically consists of the
heads of a firm such as chief financial officer, the chief operating officer, and the chief strategy officer.
50. Company XYZ is one of the most famous and well-known organization across the globe for its cyber security
services. It has received Best Cyber Security Certification Provider Award for three consecutive times. One day, a
hacker identified severe vulnerability in XYZ’s website and exploited the vulnerabilities in the website
successfully compromising customers’ private data. Besides the loss of data and the compromised network
equipment, what has been the worst damage for Company XYZ?

A. Reputation.
B. Credit Score.
C. Customers.
D. Routers.
51. Which of the following is a detective control?

A. Security policy. B. Smart card authentication.

C. Audit trail. D. Continuity of operations plan

Explanation:
Security controls are safeguards or countermeasures to avoid, detect, respond, or minimize security risks to
physical property, information systems, or other assets.
Security controls are classified as follows:
 Preventive Controls - Prevent an incident from occurring. E.g., Security guard, smart card authentication,
etc.
 Detective Controls - Identify and characterize an incident in progress. E.g., Audit trail, system monitoring,
etc.
 Corrective Controls - Limit the extent of any damage caused by the incident. E.g., Security policy, continuity
of operations plan, etc.

52. Which of the following security policy protects the organizational resources and enables organizations to
track their assets?

A. Information protection policy B. User account policy

C. Remote access policy D. Access control policy

 Explanation:
o Access Control Policy: Access control policy outlines procedures that help in protecting the
organizational resources and the rules that control access to them. It enables organizations to track
their assets.
o Remote-Access Policy: A remote-access policy contains a set of rules that define authorized
connections. It defines who can have remote access, the access medium and remote access security
controls.
o User Account Policy: User account policies provide guidelines to secure access to a system. It defines
the account creation process, and authority, rights and responsibilities of user accounts.
o Information-Protection Policy: Information-protection policies define the standards to reduce the
danger of misuse, destruction, and loss of confidential information. It defines the sensitivity levels of
information, who may have access, how it is stored and transmitted, and how it should be deleted from
storage media.

53. Cristine is the CEO of a global corporation that has several branch offices around the world. The company
employs over 300 workers, half of whom use computers. Recently, the company suffered from a ransomware
attack that disrupted many services, and many people have written to Cristine with questions about why it
happened
She asks Edwin, the systems administrator, about servers that have encrypted information. Edwin explains to
Cristine that the servers have a screen asking about bitcoins to pay to decrypt the information, but he does not
know why.
What team does the company lack?
A. CSIRT. B. unencrypt team.
C. Vulnerability Management team. D. Administrators team.

Explanation:
The company does not have a computer incident response team and lacks knowledge regarding information
security issues. No other team but CSIRT can help with the problem.

54. Which of the following is a preventive control?

A. Performance review. B. Continuity of operations plan

C. Smart card authentication. D. Audit trail.

55. A network administrator is promoted as chief security officer at a local university. One of his new
responsibilities is to manage the implementation of an RFID card access system to a new server room on campus.
The server room will house student enrollment information that is securely backed up to an off-site location.
During a meeting with an outside consultant, the chief security officer explains that he is concerned that the
existing security controls have not been designed properly. Currently, the network administrator is responsible
for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a
weekly basis.
Which of the following is an issue with the situation?

A. Undue influence B. Lack of experience

C. Segregation of duties D. An inadequate disaster recovery plan

56. Which type of scan is used on the eye to measure the layer of blood vessels?

A. Iris scan B. Facial recognition scan

C. Retinal scan D. Signature kinetics scan

Explanation:
 Facial recognition scan: Identifies or verifies a person from a digital image by comparing and analyzing
patterns.
 Retinal scan: Compares and identifies a user using the distinctive patterns of retina blood vessels.
 Iris scan: Identifies people based on unique patterns within the ring-shaped region surrounding the pupil of the
eye.
 Signature kinetics scan: Analyzes and measures the physical activity of signing like the pressure applied, stroke
order, and the speed.

57. To reduce the attack surface of a system, administrators should perform which of the following processes to
remove unnecessary software, services, and insecure configuration settings?

A. Windowing B. Harvesting
C. Stealthing D. Hardening

58. Which of the following ensures that updates to policies, procedures, and configurations are made in a
controlled and documented manner?

A. Change management B. Penetration testing

C. Regulatory compliance D. Peer review

59. Which initial procedure should an ethical hacker perform after being brought into an organization?

A. Begin security testing.

B. Assess what the organization is trying to protect
C. Sign a formal contract with a non-disclosure clause or agreement
D. Turn over deliverables
60. Which security strategy requires using several, diverse methods to protect IT systems against attacks?

A. Exponential backoff algorithm B. Three-way handshake

C. Defense in depth D. Covert channels

61. What are the three types of compliances that the Open-Source Security Testing Methodology Manual
(OSSTMM) recognizes?

A. Legislative, contractual, standards-based. B. Audit, standards-based, regulatory.

C. Legal, performance, audit. D. Contractual, regulatory, industry.

62. How can a policy help improve an employee’s security awareness?

A. By implementing written security procedures, enabling employee security training, and promoting the
benefits of security
B. By decreasing an employee's vacation time, addressing ad hoc employment clauses, and ensuring that managers
know employee strengths
C. By sharing security secrets with employees, enabling employees to share secrets, and establishing a consultative
helpline
D. By using informal networks of communication, establishing secret passing procedures, and immediately
terminating employees

63. A penetration tester is hired to do a risk assessment of a company’s DMZ. The rules of engagement state that
the penetration test has to be done from an external IP address with no prior knowledge of the internal IT
systems. What kind of test is being performed?

A. Grey box. B. Red box.

C. White box. D. Black box.

Explanation:
In black box testing, the pen testers have only the company name. The tester after that uses fingerprinting methods
to acquire information about the inputs and the expected outputs but is not aware of the internal workings of a
system. Testers carry out this test after extensive research of the target organization. Black box testing simulates an
external attacker.

64. Which of the following examples best represents a logical or technical control?

A. Corporate security policy. B. Smoke and fire alarms.

C. Heating and air conditioning. D. Security tokens.

Explanation:
Logical controls include the following: access control software, malware solutions, passwords, security tokens, and
biometrics. Security tokens are used to authenticate a user to a system. Tokens are hardware devices that can take
the form of key fobs or credit cards. They are often used together with another logical access control, such as a
password or pin, to implement strong multifactor authentication.

65. Low humidity in a data center can cause which of the following problems?

A. Static electricity B. Heat

C. Corrosion D. Airborne contamination

Explanation:
Answer "Static current" is correct; low humidity can cause a buildup of static electricity. Static discharge can
damage data and equipment. a, b, and d are incorrect. Corrosion can be caused by high humidity; airborne
contaminants are caused by improper air filtration, and heat is caused by improper cooling

66. An IT security engineer notices that the company’s web server is currently being hacked. What should the
engineer do next?

A. Record as much information as possible from the attack.

B. Perform a system restart on the company’s web server.
C. Unplug the network connection on the company’s web server.
D. Determine the origin of the attack and launch a counterattack.

67. Which security strategy requires using several, diverse methods to protect IT systems against attacks?
A. Defense in depth B. Exponential backoff algorithm
C. Three-way handshake D. Covert channels

68. Which of the following items is unique to the N-tier architecture method of designing software applications?

A. Data security is tied into each layer and must be updated for all layers when an upgrade is performed.
B. Application layers can be written in C, ASP.NET, or Delphi without any performance loss.
C. It is compatible with various databases including Access, Oracle, and SQL.
D. Application layers can be separated, allowing each layer to be upgraded independently from other layers.

Explanation:
N-tier architecture is also called multitier architecture because the software is engineered to have the processing,
data management, and presentation functions physically and logically separated. This means that these different
functions are hosted on several machines or clusters, ensuring that services are provided without resources being
shared and, as such, these services are delivered at top capacity. The “N” in the name N-tier architecture refers to
any number from 1.

69. An ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk
assessments. A friend recently started a company and asks the hacker to perform a penetration test and
vulnerability assessment of the new company as a favor. What should the hacker’s next step be before starting
work on this job?

A. Start by footprinting the network and mapping out a plan of attack.

B. Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to
attack.
C. Define the penetration testing scope.
D. Begin the reconnaissance phase with passive information gathering and then move into active information
gathering.

Explanation:
Before starting the penetration testing, it is important to define the penetration testing scope. It is one of
the important parts of penetration testing engagement process that helps you gather assessment
requirements for your penetration test. It further helps in preparing test plan, limitations, business
objectives, and time schedule for the proposed pen test.
It helps you define clear objectives with the help of which you can identify:
 What will be tested
 How it should be tested
 What resources will be allocated
 What limitations will be applied
 What business objectives will be achieved
 How the test project will be planned and scheduled

70. Which of the following is an advantage of utilizing security testing methodologies to conduct a security audit?
A. They are available at a low cost. B. Anyone can run the command line scripts.
C. They provide a repeatable framework. D. They are subject to government regulation.

Explanation:

The correct answer is “They provide a valuable framework.”

Some of the additional benefits of security testing are as follows:
 The ability to detect highly complex vulnerabilities that are not visible without access to the source code.
 The ability to tell you the precise location of any flaw in the source code, including the line number, which
greatly simplifies remediation and managing false positives.
 The ability to provide a valuable framework during application development to detect weaknesses before
they become security risks for your end users and your organization.

71. If the final set of security controls does not eliminate all risk in a system, what could be done next?

A. If the residual risk is low enough, it can be accepted.

B. Continue to apply controls until there is zero risk.
C. Ignore any remaining risk.
D. Remove current controls since they are not completely effective.

Explanation:
 Risk refers to a probability of the occurrence of a threat or an event that may damage, cause loss, or have
other negative impact either from internal or external liabilities.
 To reduce or eliminate the risk, organizations implement various information security controls to prevent
unwanted events from occurring, but some risks will remain at a certain level, and this is what residual risks
are.
 If the securing controls fail in eliminating the complete risk, then reusing the same or removing them does
not make any sense.
 Once you find out what residual risks are, what do you do with them? Basically, you have these three
options:
1. If the level of risks is below the acceptable level of risk, then you do nothing—the management needs
to formally accept those risks.
2. If the level of risks is above the acceptable level of risk, then you need to find out some new (and
better) ways to mitigate those risks
3. If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be
higher than the impact itself, then you need to propose to the management to accept these high risks.

72. Which of the following statements are true regarding N-tier architecture? (Choose two.)

A. When a layer is changed or updated, the other layers must also be recompiled or modified.
B. Each layer must be able to exist on a physically independent system.
C. The N-tier architecture must have at least one logical layer.
D. Each layer should exchange information only with the layers above and below it.

73. In order to show improvement of security over time, what must be developed?

A. Reports B. Testing tools

C. Taxonomy of vulnerabilities D. Metrics

74. Which of these is a preventive security control?

A. Disaster recovery B. Forensics

C. Security incident handling D. Vulnerability management

75. Which of the following is a primary service of the U.S. CSIRT?

A. CSIRT provides computer security surveillance service to supply a government with important intelligence
information on individuals traveling abroad.
B. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for
reporting computer security incidents worldwide.
C. CSIRT provides penetration testing service to support exception reporting on incidents worldwide by individuals
and multinational corporations.
D. CSIRT provides vulnerability assessment service to assist law enforcement agencies with profiling an individual’s
property or a company’s asset.

76. Which of the following policies provides the guidelines on the processing, storage and transmission of
sensitive information?

A. Acceptable Use Policy. B. Information Protection Policy.

C. Server Security Policy. D. Network Security Policy.

77. Bayron is the CEO of a medium size company with regional operations in America. He recently hired a
security analyst to implement an Information Security Management System (ISMS) to minimize risk and limit the
impact of a security breach. The analyst was asked to design and implement patch management, vulnerability
management, IDS deployment, and security incident handling procedures for the company. Which of these is a
reactive process?

A. IDS deployment B. Patch Management

C. Vulnerability Management D. Security Incident Handling

Explanation:
The patch and vulnerability management are preventive procedures, so the true answer is A. An incident handling
is a reactive one.

Ethical Hacking Concepts and Scope

78. A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a company almost
two months ago but has yet to get paid. The customer is suffering from financial problems, and the CEH is
worried that the company will go out of business and end up not paying. What actions should the CEH take?

A. Follow proper legal procedures against the company to request payment.

B. Exploit some of the vulnerabilities found on the company webserver to deface it.
C. Tell other customers of the financial problems with payments from this company.
D. Threaten to publish the penetration test results if not paid.

79. A CEH is approached by a friend who believes her husband is cheating. She offers to pay to break into her
husband’s email account in order to find proof so she can take him to court. What is the ethical response?

A. Say no; make sure that the friend knows the risk she’s asking the CEH to take.
B. Say yes; the friend needs help to gather evidence.
C. Say yes; do the job for free.
D. Say no; the friend is not the owner of the account.
80. A computer technician is using the latest version of a word-processing software and discovers that a
particular sequence of characters is causing the entire computer to crash. The technician researches the bug and
discovers that no one else has experienced the problem. What is the appropriate next step?

A. Ignore the problem completely and let someone else deal with it.
B. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
C. Find an underground bulletin board and attempt to sell the bug to the highest bidder.
D. Create a document that will crash the computer when opened and send it to friends.
81. Which of the following tasks DOES NOT fall under the scope of ethical hacking?

A. Pen testing
B. Risk assessment
C. Defense-in-depth implementation
D. Vulnerability scanning
82. Stephany is the leader of an information security team of a global corporation that has several branch offices
around the world. In the past six months, the company has suffered several security incidents. The CSIRT
explains to Stephany that the incidents have something in common: the source IP addresses of all the incidents
are from one of the new branches. A lot of the outsourcing staff come to this office to connect their computers to
the LAN.
What is the most accurate security control to implement to resolve the primary source of the incidents?

A. Antimalware application B. Awareness to employees

C. Internal Firewall D. Network access control (NAC)

Explanation:
 Network access control (also known as network administration control) deals with restricting the
availability of a network to the end user depending on the security policy. It mainly restricts systems
without antivirus, intrusion prevention software from accessing the network. NAC allows you to create
policies for each user or systems and define policies for networks in terms of IP addresses.
 NAC performs the following actions:
 Evaluates unauthorized users, devices, or behaviors in the network. It provides access to authorized
users and other entities.
 It helps in identifying users and devices on a network. It also determines whether these users and
devices are secure or not.
 Examines the system integration with the network according to the security policies of the
organization.
 In this environment, there are a lot of outside devices coming in and out of the company with no
controls. If we implement NAC we can say who can get into the network and what policies they
need to comply with.

83. Juan is the administrator of a Windows domain for a global corporation. He uses his knowledge to scan the
internal network to find vulnerabilities without the authorization of his boss; he tries to perform an attack and
gain access to an AIX server to show the results to his boss. What kind of role is shown in the scenario?

A. Gray Hat hacker B. Black Hat hacker

C. White Hat hacker D. Annoying employee

Explanation:
Gray hats are the individuals who work both offensively and defensively at various times. They fall between white
and black hats. Gray hats might help hackers in finding various vulnerabilities of a system or network and at the
same time help vendors to improve products (software or hardware) by checking limitations and making them
more secure.
In the above scenario, despite doing the hack without authorization, Juan only wants to do good for the company.
He was checking the limitations of the organization network and not looking for benefits. This is the behavior of a
gray hat hacker.
A white hat always looks for authorization, and the black hat always seeks profit.

84. Why is ethical hacking necessary? (Select two.)

A. Ethical hackers try to find what an intruder can see on the system under evaluation.
B. Ethical hackers are responsible for incident handling and response in the organization.
C. Ethical hackers are responsible for selecting security solutions and try to verify the ROI of security systems.
D. Ethical hackers try to find if all the components of information systems are adequately protected, updated,
and patched

85. You have been hired to do an ethical hacking (penetration Testing) for a company. Which is the first thing you
should do in this process?

A. Network information gathering B. Escalating Privileges

C. Perimeter Testing D. Acquiring Target

86. Highlander, Incorporated, decides to hire an ethical hacker to identify vulnerabilities at the regional locations
and ensure system security.
What is the main difference between a hacker and an ethical hacker when they are trying to compromise the
regional offices?

A. Hackers don’t have any knowledge of the network before they compromise the network.
B. Hackers have more sophisticated tools.
C. Ethical Hackers have the permission of upper management.
D. Ethical hackers have the permission of the regional server administrators.

Explanation:
Ethical hackers have the permission of upper management (those with authority to approve the test)

87. A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The
company accepting bids wants proof of work, so the consultant prints out several audits that they have
performed for previous companies. Which of the following is likely to occur as a result?

A. The consultant may expose vulnerabilities of other companies.

B. The consultant will ask for money on the bid because of great work.
C. The company accepting bids will want the same type of format of testing.
D. The company accepting bids will hire the consultant because of the great work performed.
Explanation:

For a security consultant, it is compulsory to sign a nondisclosure agreement (NDA). An NDA is also known as
confidential document agreement. It is a legal contract to protect the organization’s sensitive information. A typical
NDA specifies the information that the penetration testing team (security consultant) is not allowed to disclose to
other parties.

If the security consultant is showing audit reports of previous companies as a proof of work to the current client, it
means they are exposing vulnerabilities of the previous companies to the current client—because audit report
contains all the confidential information about threats or vulnerabilities found during penetration testing.