Which of the following is NOT an information security specific vulnerability?
AUse of HTTP based Apache web server.
BUnpatched Windows operating system.
CConfidential data stored in a fire safe.
DUse of an unlocked filing cabinet.
Which of the following is NOT an information security specific vulnerability?
AUse of HTTP based Apache web server.
BUnpatched Windows operating system.
CConfidential data stored in a fire safe.
DUse of an unlocked filing cabinet.
When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?
ADigital evidence must not be altered unless absolutely necessary.
BAcquiring digital evidence cart only be carried on digital devices which have been turned off.
CDigital evidence can only be handled by a member of law enforcement.
DDigital devices must be forensically ‘clean’ before investigation.
D
Answer : D
The best practice when handling and investigating digital evidence for use in a criminal cybercrime investigation is to ensure that digital devices are forensically ‘‘clean’’ before any investigation takes place. This means that the devices should be free from any potential contamination that could compromise the integrity of the evidence. It’s crucial to maintain the original state of digital evidence as much as possible to ensure its admissibility in court. Altering digital evidence should be avoided unless it’s absolutely necessary for the investigation, and even then, it should be done following strict protocols to document the changes made. While law enforcement often handles digital evidence, the principle of maintaining a forensically clean state applies universally to ensure the evidence remains untainted and reliable
Which algorithm is a current specification for the encryption of electronic data established by NIST?
ARSA.
BAES.
CDES.
DPGP.
Answer : B
The Advanced Encryption Standard (AES) is the current specification for the encryption of electronic data established by the National Institute of Standards and Technology (NIST). AES is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information, converting data to an unintelligible form called ciphertext and back to its original form, plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.It was selected by NIST as a Federal Information Processing Standard (FIPS) to protect electronic data and is widely recognized and used for secure data encryption1.
Which security concept provides redundancy in the event a security control failure or the exploitation of a vulnerability?
ASystem Integrity.
BSandboxing.
CIntrusion Prevention System.
DDefence in depth.
D
Defence in depth is a security concept that involves implementing multiple layers of security controls throughout an information system. The idea is that if one control fails or a vulnerability is exploited, other controls will provide redundancy and continue to protect the system. This approach is analogous to a physical fortress with multiple walls; if an attacker breaches one wall, additional barriers exist to stop them from progressing further. In the context of information security, this could include a combination of firewalls, intrusion detection systems, antivirus software, and strict access controls, among others. Defence in depth is designed to address security vulnerabilities not only in technology but also in processes and people, acknowledging that human error or negligence can often lead to security breaches.
Online retailers are the most at risk for the theft of electronic-based credit card data due to the nature of their business, which involves processing a large volume of transactions over the internet. This exposes them to various cyber threats, including hacking, phishing, and other forms of cyber-attacks that can compromise credit card information. Traditional market traders, mail delivery businesses, and agricultural producers typically do not handle credit card transactions to the same extent or in the same electronic manner as online retailers, making them less likely targets for this specific type of data theft.
The principles of Information Security Management emphasize the importance of protecting sensitive data, such as credit card information, through technical security controls and risk management practices.Online retailers must implement robust security measures, including encryption, secure payment gateways, and regular security audits, to mitigate the risks associated with electronic transactions12.
“What are the different methods that can be used as access controls?
- Detective.
- Physical.
- Reactive.
- Virtual.
- Preventive.
A1, 2 and 4.
B1, 2 and 3.
C1, 2 and 5.
D3, 4 and 5.”
Answer : C
Access controls are essential in information security for ensuring that resources are available to authorized users and protected from unauthorized access. The methods of access control can be categorized as follows:
Detective: These controls are designed to identify and record unauthorized access attempts. They do not prevent access but are useful for auditing and monitoring purposes.
Physical: Physical controls are tangible measures taken to protect assets, such as locks, fences, and security guards.
Preventive: Preventive controls are designed to stop unauthorized access before it happens. This includes mechanisms like passwords, biometric scans, and encryption.
The combination of detective, physical, and preventive controls provides a robust framework for managing access to sensitive information and systems. Reactive controls are not typically classified as access controls since they deal with responding to incidents after they occur, and virtual controls are not a recognized category in this context.
Which of the following describes a qualitative risk assessment approach?
AA subjective assessment of risk occurrence likelihood against the potential impact that determines the overall severity of a risk.
BThe use of verifiable data to predict the risk occurrence likelihood and the potential impact so as to determine the overall severity of a risk.
CThe use of Monte-Carlo Analysis and Layers of Protection Analysis (LOPA) to determine the overall severity of a risk.
DThe use of Risk Tolerance and Risk Appetite values to determine the overall severity of a risk
Answer : A
A qualitative risk assessment approach is characterized by the subjective analysis of the likelihood of a risk occurring and its potential impact. This method relies on the judgment and experience of the assessor to estimate the severity of a risk. It does not use numerical data or statistical methods, which are typical of quantitative assessments. Instead, it may use descriptors like ‘low’, ‘medium’, or ‘high’ to rate both the likelihood of occurrence and the potential impact. This approach is useful when precise data is unavailable or when assessing complex, multifaceted risks where human insight is valuable
Which of the following statutory requirements are likely to be of relevance to all organisations no matter which sector nor geographical location they operate in?
ASarbanes-Oxley.
BGDPR.
CHIPAA.
DFSA.
The General Data Protection Regulation (GDPR) is a regulation that applies to all organizations operating within the EU and also to organizations outside of the EU that offer goods or services to, or monitor the behavior of, EU data subjects. It is designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data privacy. The GDPR’s relevance extends beyond geographical and sector-specific boundaries because it applies to any organization that processes the personal data of individuals within the EU, making it a global standard for data protection.
While other options like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) have significant impacts on specific sectors or regions, GDPR’s broad scope makes it relevant to a wide range of organizations worldwide. It sets a precedent for data protection laws globally, influencing other regulations and becoming a de facto standard for many companies, even in countries without similar laws.
Which of the following is MOST LIKELY to be described as a consequential loss?
AReputation damage.
BMonetary theft.
CService disruption.
DProcessing errors.
Answer : A
Consequential loss in the context of information security refers to secondary or indirect damage that occurs as a result of a primary event or incident. It is not the immediate direct loss, such as theft of money or service disruption, but rather the subsequent impact that may not be immediately apparent. Reputation damage is a prime example of consequential loss because it is a secondary effect that can occur after a security breach or incident. The loss of trust by customers, partners, and stakeholders can have long-term negative effects on a business’s financial health and market position. This type of loss is often more significant and lasting than the immediate direct costs associated with an incident.
James is working with a software programme that completely obfuscates the entire source code, often in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the original source code.
What type of software programme is this?
AFree Source.
BProprietary Source.
CInterpreted Source.
DOpen Source.
The software program described is one that obfuscates the source code, making it difficult to inspect, manipulate, or reverse engineer. This is characteristic of proprietary source software, where the source code is not openly shared or available for public viewing or modification. Proprietary software companies often obfuscate their code to protect intellectual property and prevent unauthorized use or reproduction of their software. Unlike open-source software, where the source code is available for anyone to view, modify, and distribute, proprietary software keeps its source code a secret to maintain control over the software’s functions and distribution.
What type of attack attempts to exploit the trust relationship between a user client based browser and server based websites forcing the submission of an authenticated request to a third party site?
Answer : D
Cross-Site Request Forgery (CSRF) is an attack that exploits the trust relationship between a user’s browser and a server-based website. In a CSRF attack, the attacker tricks the authenticated user’s browser into sending a request to a third-party site, which the browser is already authenticated with, without the user’s knowledge or consent. This can lead to unauthorized actions being performed on the user’s behalf, such as changing user settings, posting content, or even initiating financial transactions.The attack leverages the fact that the browser automatically includes credentials like cookies, session tokens, or other authentication information with each request to a site123.
Reflectoring’s ‘Complete Guide to CSRF/XSRF (Cross-Site Request Forgery)’1.
OWASP Foundation’s ‘‘Anti CSRF Tokens ASP.NET’’ article2.
Threat Intelligence’s blog on ‘Cross-Site Request Forgery (CSRF) - What Is It, How to Prevent It’3.
Which of the following is an asymmetric encryption algorithm?
ADES.
BAES.
CATM.
DRSA.
Answer : D
RSA (Rivest-Shamir-Adleman) is a widely accepted asymmetric encryption algorithm. Unlike symmetric algorithms, which use the same key for both encryption and decryption, asymmetric algorithms use a pair of keys – a public key for encryption and a private key for decryption. This method allows for secure key exchange over an insecure channel without the need to share the private key. RSA operates on the principle that it is easy to multiply large prime numbers together to create a product, but it is hard to reverse the process, i.e., to factorize the product back into the original primes. This one-way function underpins the security of RSA.
Which of the following uses are NOT usual ways that attackers have of leveraging botnets?
AGenerating and distributing spam messages.
BConducting DDOS attacks.
CScanning for system & application vulnerabilities.
DUndertaking vishing attacks
D
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
ATOGAF
BSABSA
CPCI DSS.
DOWASP.
Answer : B
SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology specifically designed for Enterprise Security Architecture and Service Management. It provides a layered approach to security architecture, ensuring that security is aligned with business goals and is driven by risk management principles.SABSA’s methodology integrates with business and IT management processes, focusing on the design, delivery, and support of security services within the enterprise environment1.
TOGAF (The Open Group Architecture Framework) is also used in the context of enterprise architecture but is not solely focused on security.It provides a comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture2.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment2.
OWASP (Open Web Application Security Project) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security2.
Which of the following statements relating to digital signatures is TRUE?
ADigital signatures are rarely legally enforceable even if the signers know they are signing a legal document.
BDigital signatures are valid and enforceable in law in most countries in the world.
CDigital signatures are legal unless there is a statutory requirement that predates the digital age.
DA digital signature that uses a signer’s private key is illegal.
Answer : B
Digital signatures are a form of electronic signature that uses cryptographic techniques to provide secure and verifiable means of signing electronic documents. They are widely recognized and accepted as legally binding in many jurisdictions around the world. The enforceability of digital signatures is backed by various laws and regulations that recognize electronic signatures as equivalent to handwritten signatures, provided they meet certain criteria for authenticity and integrity.For instance, in the United States, the ESIGN Act establishes the legal validity of electronic signatures, including digital signatures1.Similarly, the eIDAS regulation in the European Union provides a legal framework for electronic signatures and trust services, including digital signatures2.
Select the document that is MOST LIKELY to contain direction covering the security and utilisation of all an organisation’s information and IT equipment, as well as email, internet and telephony.
ACryptographic Statement.
BSecurity Policy Framework.
CAcceptable Usage Policy.
DBusiness Continuity Plan.
Answer : C
The Acceptable Usage Policy (AUP) is the document most likely to contain directives on the security and utilization of an organization’s information and IT equipment, including email, internet, and telephony. An AUP outlines the acceptable and unacceptable behaviors for users of the organization’s IT systems and services. It typically includes rules and guidelines on the proper use of IT resources, security practices, and the consequences of non-compliance.The AUP is designed to protect both the organization and its users by mitigating risks associated with the misuse of IT resources and ensuring that the use of these resources aligns with the organization’s security policies and objectives123.
Which of the following is considered to be the GREATEST risk to information systems that results from deploying end-to-end Internet of Things (IoT) solutions?
AUse of ‘cheap’ microcontroller based sensors.
BMuch larger attack surface than traditional IT systems.
CUse of proprietary networking protocols between nodes.
DUse of cloud based systems to collect loT data.
Answer : B
The deployment of end-to-end Internet of Things (IoT) solutions significantly increases the attack surface compared to traditional IT systems. This is due to the vast number of connected devices, each potentially introducing new vulnerabilities. The heterogeneity of these devices, often with varying levels of security, can lead to more entry points for cyberattacks. Additionally, the complexity of managing and securing these numerous devices, especially when they use different communication protocols and standards, exacerbates the risk. Therefore, the expansion of the attack surface is considered the greatest risk because it amplifies the potential for unauthorized access and compromises the integrity, availability, and confidentiality of information systems.
When seeking third party digital forensics services, what two attributes should one seek when making a choice of service provider?
AAppropriate company accreditation and staff certification.
BFormal certification to ISO/IEC 27001 and alignment with ISO 17025.
CAffiliation with local law enforcement bodies and local government regulations.
DClean credit references as well as international experience.
Answer : A
When selecting a third-party digital forensics service provider, it is crucial to ensure that the company has the appropriate accreditations and the staff hold relevant certifications. This ensures that the service provider adheres to recognized standards and best practices in digital forensics, which is essential for the integrity and admissibility of evidence. Company accreditation provides assurance that the organization follows industry-recognized quality standards, while staff certification demonstrates that the individuals handling the forensic process are qualified and competent. This combination is vital for maintaining the credibility of the forensic investigation and the security of the data handled.
Which algorithm is a current specification for the encryption of electronic data established by NIST?
ARSA.
BAES.
CDES.
DPGP.
Answer : B
The Advanced Encryption Standard (AES) is the current specification for the encryption of electronic data established by the National Institute of Standards and Technology (NIST). AES is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information, converting data to an unintelligible form called ciphertext and back to its original form, plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.It was selected by NIST as a Federal Information Processing Standard (FIPS) to protect electronic data and is widely recognized and used for secure data encryption1.
Which of the following is a framework and methodology for Enterprise Security Architecture and Service Management?
A TOGAF
B SABSA
C PCI DSS.
D OWASP.
Answer : B
SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology specifically designed for Enterprise Security Architecture and Service Management. It provides a layered approach to security architecture, ensuring that security is aligned with business goals and is driven by risk management principles.SABSA’s methodology integrates with business and IT management processes, focusing on the design, delivery, and support of security services within the enterprise environment1.
TOGAF (The Open Group Architecture Framework) is also used in the context of enterprise architecture but is not solely focused on security.It provides a comprehensive approach to the design, planning, implementation, and governance of an enterprise information architecture2.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment2.
OWASP (Open Web Application Security Project) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security2.
Which of the following threat modelling framework uses on attacker goals and uses categories like spoofing and Tampering
STRIDE
DREAD
PASTA
OCTAVE
STRIDE
DREAD assessment model that scores based on Damage Reproducibukity Expoloitability Affecfed users and Discoverabulity
PASTA is 7 stage threat modelling allowing business objectives with technical thr3at through simulation and analysis
OCTAVEBUSINESS TRATEGIC PLANNING risk
VAST threat modelling into agile development workflows
-
1 INFORMATION SECURITY PRINCIPLES139
-
2 INFORMATION RISK142
-
ABBREVIATIONS238
-
GLOSSARY128
-
3 INFORMATION SECURITY FRAMEWORKS244
-
4 SECURITY OPERATIONS280
-
5 SECUIRITY LIFECYLCE AND DEVSECOPS107
-
6 TECHNICAL SECURITY253
-
7 PHYSICAL AND ENVIRONMENTAL SECURITY28
-
8 DISASTER RECOVERY AND DIGITAL FORENSICS99
-
9 EMERGING TECHNOLOGIES113
-
Specimen20
-
Misc Qs20
-
AI questions22
-
chapter 889
