1
Q
Which 3 are Functional Control types: Deterrent, Preventive, Compensating, Detective?,”Deterrent, Preventive, and Detective. (Compensating is an alternate method).”
A
Answer: A. Deterrent, B. Preventive, D. Detective. Functional controls include deterrent, preventive, detective, and corrective. Compensating controls are not considered functional types—they are alternate methods used to reduce risk when standard controls are not feasible.
2
Q
What type of control is Security Awareness Training?,”Managerial (Administrative).”
A
3
Q
Which of these are Detective controls: Audit logs, IPS, IDS, System monitoring?,”Audit logs, IDS, and System monitoring. (IPS is preventive).”
A
4
Q
Which concept ensures data has not been tampered with or modified?,”Integrity.”
A
5
Q
Which concept uses strict identity verification, continuous monitoring, and least privilege?,”Zero Trust.”
A
6
Q
Most reliable method to identify unauthorized physical access: Guard, Tape, Sensors, or Logs?,”Surveillance Tape (It is objective evidence).”
A
7
Q
Which sensor uses changes in temperature to detect motion?,”Infrared sensor.”
A
8
Q
What deception technology uses decoy items to divert attackers?,”Honeytoken.”
A
9
Q
What plan is required to reverse a failed system update?,”Backout plan.”
A
10
Q
If a change to one system causes outages in connected systems, this is due to…?,”Dependency.”
A
11
Q
A sudden flood of previously blocked ICMP traffic suggests what issue?,”Misconfigured Access List (ACL).”
A
12
Q
If you can access a system by Hostname but not IP after a change, what is the cause?,”The network diagram/DNS was not updated with the new IP.”
A
13
Q
Which attack is defeated by using Salting?,”Rainbow Table attack.”
A
14
Q
If you cannot decrypt a reply with the same key used to encrypt the sent message, you are using…?,”Asymmetric Cryptography.”
A
15
Q
True/False: Stream ciphers require padding.,”False. Block ciphers require padding.”
A
16
Q
Why are Asymmetric algorithms called Public Key algorithms?,”They use the Public Key as the focal point.”
A
17
Q
What is the primary motivation of a Hacktivist?,”Political or social statement (e.g., defacing a site).”
A
18
Q
Compare External vs Internal threat actors regarding sophistication.,”External actors often have higher sophistication to breach defenses, despite having less access.”
A
19
Q
What is the motivation of a Nation-State actor?,”War, Espionage, or Strategic advantage.”
A
20
Q
What is the motivation of Organized Crime?,”Financial Gain.”
A
21
Q
A fake invoice email from a ‘manager’ is an example of what?,”Business Email Compromise (BEC).”
A
22
Q
Phishing via SMS is called…?,”Smishing.”
A
23
Q
Mimicking a trusted company’s emails/logos is called…?,”Brand Impersonation.”
A
24
Q
Which vector bypasses firewalls via physical connection?,”Removable device (USB).”
A
25
Best defense against Social Engineering?,"Awareness and Education."
26
Vulnerability that overwrites memory locations?,"Buffer Overflow."
27
A flaw unknown to the vendor with no patch is called...?,"Zero-day."
28
Injecting malicious JavaScript into a website (Browser execution) is...?,"XSS (Cross-Site Scripting)."
29
A race condition can lead to...?,"System crash, Unauthorized access, or Privilege escalation."
30
Removing restrictions on an iOS device is called...?,"Jailbreaking."
31
What type of malware allows covert remote access bypassing authentication?,"Backdoor."
32
If a password is reset but the account is breached again immediately, what is the cause?,"Keylogger."
33
What is a Password Spraying attack?,"Using a few common passwords against many accounts to avoid lockout."
34
Logins from two distant locations in a short time frame is called...?,"Impossible Travel."
35
Forcing a system to abandon strong encryption for a weaker protocol is a...?,"Downgrade attack."
36
Isolating systems into different subnets to contain threats is called...?,"Segmentation."
37
Ensuring systems adhere to standards and auto-reverting changes is...?,"Configuration Enforcement."
38
The technique of observing systems to detect proactive or reactive issues is...?,"Monitoring."
39
What controls traffic between network sites using IP addresses?,"ACL (Access Control List)."
40
Which cloud model offers fully managed applications (e.g., Gmail, Salesforce)?,"SaaS (Software as a Service)."
41
Architecture using loosely coupled, independently deployable services is...?,"Microservices."
42
What enables multiple OS instances on one physical server?,"Hypervisor."
43
Shifting risk to a third party (like insurance) is called...?,"Transference."
44
Which appliance protects specifically against Web attacks like SQLi?,"WAF (Web Application Firewall)."
45
If an IPS fails but allows traffic to keep flowing, it is in what mode?,"Fail-open."
46
Which protocol is used to secure tunnels between routers (VPNs)?,"IPSec."
47
What is the IEEE standard for Port-based Network Access Control?,"802.1X."
48
Why add a 'Sensitive' label to 'Public/Private' classification?,"To provide better/more granular data classification."
49
Which regulation covers Credit Card data security?,"PCI DSS."
50
Classification for internal company data with low risk?,"Private."
51
Transforming data into unreadable text that can be reversed with a key is...?,"Encryption."
52
Blocking access based on the source country IP is...?,"Geographic restrictions."
53
Distributing traffic across multiple servers is called...?,"Load balancing."
54
A discussion-based practice of incident response plans is a...?,"Tabletop exercise."
55
Syncing data between primary and secondary sites is called...?,"Replication."
56
A DR site with no hardware or data installed is a...?,"Cold site."
57
Best defense against SQL Injection?,"Input Validation."
58
Mobile model: Company owns device, employee uses for personal tasks.,"COPE (Corporate-Owned, Personally Enabled)."
59
Testing apps in an isolated environment is called...?,"Sandboxing."
60
Two critical server hardening steps?,"Patching and Disabling unused services/ports."
61
Process that removes data to allow device reuse (unlike destruction)?,"Sanitization."
62
Assigning sensitivity levels to assets is called...?,"Classification."
63
Data classification level involving 'severe impact' if exposed?,"Sensitive."
64
Automated scan comparing systems to a database of known issues?,"Vulnerability Scan."
65
A reported vulnerability that is actually a non-threat is a...?,"False Positive."
66
Resource used to identify/anticipate threats via OSINT?,"Threat Feed."
67
What is the purpose of CVSS?,"To assign severity scores to vulnerabilities."
68
System designed primarily to prevent data exfiltration?,"DLP (Data Loss Prevention)."
69
Protocol for automated vulnerability management and compliance?,"SCAP."
70
System that collects, analyzes, and correlates logs?,"SIEM."
71
Adjusting monitoring thresholds to reduce noise/false positives is...?,"Alert Tuning."
72
Isolated network segment for public-facing services (aka DMZ)?,"Screened Subnet."
73
If an IPS misses current attacks, it likely needs...?,"Signature updates."
74
DLP configuration to stop personal email exfiltration?,"Block emails to non-business addresses."
75
Protocol and port for secure web traffic?,"HTTPS (Port 443)."
76
Access control based on job responsibilities/roles?,"RBAC."
77
ATM Card + PIN is an example of...?,"MFA (Multi-Factor Authentication)."
78
Technology allowing one login for multiple apps?,"SSO (Single Sign-On)."
79
Metric for likelihood of unauthorized biometric access?,"FAR (False Acceptance Rate)."
80
Primary benefits of Security Automation?,"Save time, consistency, improved response speed."
81
Automating the granting of access based on roles is...?,"User Provisioning."
82
Automating the recording/tracking of incidents is...?,"Ticket Creation."
83
Proactively searching for threats that evaded tools is...?,"Threat Hunting."
84
IR Phase: Restoring operations and verifying threat removal?,"Recovery."
85
Document tracking evidence handling for legal integrity?,"Chain of Custody."
86
Discussion-based walkthrough of an incident scenario?,"Tabletop Exercise."
87
Best data source to see exact data content transmitted?,"Packet Captures."
88
Logs used to see login attempts/auth events?,"OS-specific security logs."
89
Tool for visual identification of trends/spikes?,"Dashboard."
90
Role responsible for implementing/applying security controls?,"Data Custodian."
91
Group of participants with defined roles guiding day-to-day security?,"Committees."
92
Laws applying to US Hospital security roles?,"HIPAA and Privacy Rule."
93
Document outlining specific steps for responding to specific incidents?,"Playbook."
94
HR process for an employee leaving the organization?,"Offboarding."
95
Metric for expected monetary loss from a risk over a year?,"ALE (Annual Loss Expectancy)."
96
Metric for average life span of non-repairable appliances (e.g., firewalls)?,"MTTF (Mean Time To Failure)."
97
Buying insurance is an example of what risk response?,"Transference."
98
Formula for Risk?,"Risk = Threat × Vulnerability × Impact."
99
Document used to record and track identified risks?,"Risk Register."
100
Risk assessment using Low/Medium/High (Heatmap)?,"Qualitative."
101
Calculate ALE if SLE is $25,000 and ARO is 0.5.,"$12,500."
102
Primary objective of a vendor assessment?,"Assess reputation and capability to meet standards."
103
Agreement to protect confidential info shared with a vendor?,"NDA (Non-disclosure agreement)."
104
Tools to monitor vendors after engagement?,"KPIs and Rules of Engagement."
105
Collecting and presenting adherence to regulations is...?,"Compliance Reporting."
106
Consequences of non-compliance?,"Fines, Reputational damage, Loss of license."
107
Who is the 'Data Subject'?,"The individual whom the data is about."
108
Performing reasonable actions in advance to ensure readiness is...?,"Due Diligence."
109
Penetration test with full system knowledge provided?,"Known (White-box)."
110
Difference between Audit and Assessment?,"Audit verifies policy compliance; Assessment measures threat effectiveness."
111
Independent third-party verification of standards (e.g., ISO)?,"Certification Attestation."
112
Testing that actively exploits vulnerabilities?,"Offensive Penetration Testing."
113
Key step before running an internal phishing campaign?,"Inform stakeholders."
114
User transferring data late at night should be classified as...?,"Unexpected behavior requiring investigation."
115
Best mitigations for remote work cloud/patching risks?,"Data handling policies and Regular patching."
116
Best mitigations for video leaks and personal device usage?,"Secure conferencing training and BYOD policy."
117
Category of controls for risk decisions and policies?,"Managerial."
118
Category of controls for Firewalls and ACLs?,"Technical."
119
Category of controls for Locks and Fences?,"Physical."
120
Category of controls involving people/training?,"Operational."
121
Security awareness training is an example of which control category?,"Operational controls."
122
Controls that stop incidents from happening (e.g., Fences, Passwords)?,"Preventive controls."
123
Controls meant to discourage attacks (e.g., Signs, Lighting)?,"Deterrent controls."
124
Controls designed to monitor and detect unauthorized behavior?,"Detective controls."
125
Corrective controls are used at which stage of an incident?,"After the event."
126
Controls that guide operations/policy (e.g., Guidelines)?,"Directive controls."
127
Control category addressed by management (Risk assessment, Policy)?,"Managerial controls."
128
Control category designed to increase people/process security?,"Operational controls."
129
Firewalls fall under which control category?,"Technical controls."
130
Which control type enforces security policy?,"Preventive controls."
131
Which control type discourages policy violations?,"Deterrent controls."
132
Which control type warns of violations (e.g., alarms)?,"Detective controls."
133
Which control type mitigates damage during/after an incident?,"Corrective controls."
134
An alternative control used when the primary is not feasible?,"Compensating control."
135
Door access systems are what type of control?,"Physical control."
136
Controls to restrict server room access?,"Physical controls."
137
Confidentiality protects data from what?,"Unauthorized access and disclosure."
138
Assurance that a sender cannot deny an action/message?,"Non-repudiation."
139
The process of identifying a user (AAA Framework)?,"Authentication."
140
Ensuring systems are accessible when needed?,"Availability."
141
Comparing current security vs. ideal state is a...?,"Gap Analysis."
142
Identity verification based on context (Location, Time, Device)?,"Adaptive Identity."
143
In Zero Trust, the Data Plane does what?,"Enforces policies."
144
Buffer zone at an entrance for access control?,"Access Control Vestibule (Mantrap)."
145
Sensor detecting movement via heat changes?,"Infrared sensor."
146
Decoy data object used as an early warning system?,"Honeytoken."
147
Consequence of ineffective approval processes?,"Introduction of new vulnerabilities from unvetted changes."
148
Who defines asset security requirements and risk profile?,"The Asset Owner."
149
Any group vested in the org's security (HR, Legal, IT, etc.)?,"Stakeholders."
150
Process dictating how changes are authorized?,"Approval Process."
